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About this Manual 



This manual provides a complete description of the NetVanta 2000 series system and system software. The 
purpose of this manual is to provide the technician, system administrator, and manager with general and 
specific information related to the planning, installation, operation, and maintenance of the NetVanta 2000 
series. This manual is arranged so that needed information can be quickly and easily found. The following 
is an overview of the contents. 

Section 1 System Description 

Provides managers with an overview of the NetVanta 2000 series system. 

Section 2 Engineering Guidelines 

Provides information to assist network designers with incorporating the NetVanta 2000 
series system into their networks. 

Section 3 Network Turnup Procedure 

Provides step-by-step instructions on how to install the NetVanta 2000 series unit, 
determine the parameters for the system, install the network and option modules, and 
power up the system. 

Section 4 User Interface Guide 

A reference guide listing all menu options contained in the NetVanta 2000 series. 

Section 5 Detail Level Procedures 

Provides the Provides the Detail Level Procedures to perform various unit functions 
(upgrading firmware, telnet, etc). Level Procedures called out in Section 3. 

Glossary and Acronyms 

Gives definitions of terms and acronyms used in the manual. 



Revision History 

This is the 4th issue of this manual. Revisions include: 
• NetVanta 2050 and 2400 additions 
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Notes provide additional useful information. 



Cautions signify information that could prevent service interruption. 




Warnings provide information that could prevent damage to the equipment or 
endangerment to human life. 



Safety Instructions 

When using your telephone equipment, please follow these basic safety precautions to reduce the risk of 
fire, electrical shock, or personal injury: 

1 . Do not use this product near water, such as a bathtub, wash bowl, kitchen sink, laundry tub, in a 
wet basement, or near a swimming pool. 

2. Avoid using a telephone (other than a cordless-type) during an electrical storm. There is a remote 
risk of shock from lightning. 

3. Do not use the telephone to report a gas leak in the vicinity of the leak. 

4. Use only the power cord, power supply, and/or batteries indicated in the manual. Do not dispose of 
batteries in a fire. They may explode. Check with local codes for special disposal instructions. 

Save These Important Safety Instructions 
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Federal Communications Commission Radio Frequency Interference Statement 



This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant 
to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful 
interference when the equipment is operated in a commercial environment. This equipment generates, 
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the 
instruction manual, may cause harmful interference to radio frequencies. Operation of this equipment in a 
residential area is likely to cause harmful interference in which case the user will be required to correct the 
interference at his own expense. 




Shielded cables must be used with this unit to ensure compliance with Class A FCC limits. 




Changes or modifications to this unit not expressly approved by the party responsible 
for compliance could void the user s authority to operate the equipment. 



Canadian Emissions Requirements 

This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus 
as set out in the interference-causing equipment standard entitled "Digital Apparatus," ICES-003 of the 
Department of Communications. 

Cet appareil numerique respecte les limites de bruits radioelectriques applicables aux appareils numeriques 
de Class A prescrites dans la norme sur le materiel brouilleur: "Appareils Numeriques," NMB-003 edictee 
par le ministre des Communications. 
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Canadian Equipment Limitations 



Notice: The Canadian Industry and Science Canada label identifies certified equipment. This certification 
means that the equipment meets certain telecommunications network protective, operational, and safety 
requirements. The Department does not guarantee the equipment will operate to the user's satisfaction. 

Before installing this equipment, users should ensure that it is permissible to be connected to the facilities 
of the local telecommunications company. The equipment must also be installed using an acceptable 
method of connection. In some cases, the company's inside wiring associated with a single line individual 
service may be extended by means of a certified connector assembly (telephone extension cord). The 
customer should be aware that compliance with the above limitations may not prevent degradation of 
service in some situations. 

Repairs to certified equipment should be made by an authorized Canadian maintenance facility designated 
by the supplier. Any repairs or alterations made by the user to this equipment, or equipment malfunctions, 
may give the telecommunications company cause to request the user to disconnect the equipment. 

Users should ensure for their own protection that the electrical ground connections of the power utility, 
telephone lines and internal metallic water pipe system, if present, are connected together. This precaution 
may be particularly important in rural areas. 



Users should not attempt to make such connections themselves, but should contract the 
appropriate electric inspection authority, or an electrician, as appropriate. 



The Load Number (LN) assigned to each terminal device denotes the percentage of the total load to be 
connected to a telephone loop which is used by the device, to prevent overloading. The termination on a 
loop may consist of any combination of devices subject only to the requirement that the total of the Load 
Numbers of all devices does not exceed 100. 
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Warranty and Customer Service 



ADTRAN will repair and return this product within five years from the date of shipment if it does not meet 
its published specifications or fails while in service. For detailed warranty, repair, and return information 
refer to the ADTRAN Equipment Warranty and Repair and Return Policy Procedure. 

Return Material Authorization (RMA) is required prior to returning equipment to ADTRAN. 

For service, RMA requests, or further information, contact one of the numbers listed at the end of this 
section. 



LIMITED PRODUCT WARRANTY 

ADTRAN warrants that for five years from the date of shipment to Customer, all products manufactured 
by ADTRAN will be free from defects in materials and workmanship. ADTRAN also warrants that 
products will conform to the applicable specifications and drawings for such products, as contained in the 
Product Manual or in ADTRAN's internal specifications and drawings for such products (which may or 
may not be reflected in the Product Manual). This warranty only applies if Customer gives ADTRAN 
written notice of defects during the warranty period. Upon such notice, ADTRAN will, at its option, either 
repair or replace the defective item. If ADTRAN is unable, in a reasonable time, to repair or replace any 
equipment to a condition as warranted, Customer is entitled to a full refund of the purchase price upon 
return of the equipment to ADTRAN. This warranty applies only to the original purchaser and is not 
transferable without ADTRAN's express written permission. This warranty becomes null and void if 
Customer modifies or alters the equipment in any way, other than as specifically authorized by ADTRAN. 

EXCEPT FOR THE LIMITED WARRANTY DESCRIBED ABOVE, THE FOREGOING 
CONSTITUTES THE SOLE AND EXCLUSIVE REMEDY OF THE CUSTOMER AND THE 
EXCLUSIVE LIABILITY OF ADTRAN AND IS IN LIEU OF ANY AND ALL OTHER WARRANTIES 
(EXPRESSED OR IMPLIED). ADTRAN SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, 
INCLUDING (WITHOUT LIMITATION), ALL WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW THE EXCLUSION 
OF IMPLIED WARRANTIES, SO THIS EXCLUSION MAY NOT APPLY TO CUSTOMER. 

In no event will ADTRAN or its suppliers be liable to the Customer for any incidental, special, punitive, 
exemplary or consequential damages experienced by either the Customer or a third party (including, but 
not limited to, loss of data or information, loss of profits, or loss of use). ADTRAN is not liable for 
damages for any cause whatsoever (whether based in contract, tort, or otherwise) in excess of the amount 
paid for the item. Some states do not allow the limitation or exclusion of liability for incidental or 
consequential damages, so the above limitation or exclusion may not apply to the Customer. 
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Customer Service, Product Support Information, and Training 

ADTRAN will repair and return this product if within five years from the date of shipment the product 
does not meet its published specification or the product fails while in service. 

A return material authorization (RMA) is required prior to returning equipment to ADTRAN. For service, 
RMA requests, training, or more information, use the contact information given below. 

Repair and Return 

If you determine that a repair is needed, please contact our Customer and Product Service (CAPS) 
department to have an RMA number issued. CAPS should also be contacted to obtain information 
regarding equipment currently in house or possible fees associated with repair. 

CAPS Department (256) 963-8722 

Identify the RMA number clearly on the package (below address), and return to the following address: 

ADTRAN Customer and Product Service 
901 Explorer Blvd. (East Tower) 
Huntsville, Alabama 35806 

RMA # 

Pre-Sales Inquiries and Applications Support 

Your reseller should serve as the first point of contact for support. If additional pre-sales support is needed, 
the ADTRAN Support web site provides a variety of support services such as a searchable knowledge 
base, latest product documentation, application briefs, case studies, and a link to submit a question to an 
Applications Engineer. All of this, and more, is available at: 

http://support.adtran.com 

When needed, further pre-sales assistance is available by calling our Applications Engineering 
Department. 

Applications Engineering (800) 615-11 76 
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Post-Sale Support 

Your reseller should serve as the first point of contact for support. If additional support is needed, the 
ADTRAN Support web site provides a variety of support services such as a searchable knowledge base, 
updated firmware releases, latest product documentation, service request ticket generation and 
trouble-shooting tools. All of this, and more, is available at: 

http://support.adtran.com 

When needed, further post-sales assistance is available by calling our Technical Support Center. Please 
have your unit serial number available when you call. 

Technical Support (888) 4ADTRAN 

Installation and Maintenance Support 

The ADTRAN Custom Extended Services (ACES) program offers multiple types and levels of installation 
and maintenance services which allow you to choose the kind of assistance you need. This support is 
available at: 

http://www.adtran.com/aces 
For questions, call the ACES Help Desk. 

ACES Help Desk (888) 874-ACES (2237) 

Training 

The Enterprise Network (EN) Technical Training Department offers training on our most popular products. 
These courses include overviews on product features and functions while covering applications of 
ADTRAN's product lines. ADTRAN provides a variety of training options, including customized training 
and courses taught at our facilities or at your site. For more information about training, please contact your 
Territory Manager or the Enterprise Training Coordinator. 

Training Phone (800) 615-11 76, ext. 7500 

Training Fax (256) 963-6700 

Training Email training@adtran.com 
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1. SYSTEM OVERVIEW 

The NetVanta 2000 series of VPN products include small to mid-range IPSec compliant gateways 
providing all the necessary components required to secure an integrated VPN solution. Used primarily for 
remote access and site-to-multisite connectivity, the NetVanta 2050 and NetVanta 2100 targets the 
corporate branch office, the small office/home office (SOHO), as well as business-to-business 
applications. As a branch office or mid-size host security gateway, the NetVanta 2300 provides the same 
features as the NetVanta 2100 with an added DMZ port for public server access. For networks supporting a 
large VPN network, the NetVanta 2400 is available to provide all necessary host site gateway functionality. 
The NetVanta 2000 series provides several key security and data management features such as IPSec VPN 
tunneling, stateful inspection firewall (providing cyber assault protection), authenticated remote user 
access, and Network Address Translation. Adhering to IPSec standards (established and maintained by the 
IETF) enables the NetVanta 2000 series to be interoperable with many other IPSec compliant gateways, 
allowing for a multi-vendor VPN solution. 

On a public infrastructure like the Internet, security is of the utmost importance. The NetVanta 2000 series 
protect the corporate network against attacks with a built in firewall and provides data security through 
encryption, authentication and key exchange. The NetVanta 2000 series employ a stateful inspection 
firewall that protects an organization's network from common cyber attacks including TCP syn-flooding, 
IP spoofing, ICMP redirect, land attacks, ping-of-death, and IP reassembly problems. 

For encryption, the NetVanta 2000 series encrypt the data being sent out onto the network, using either the 
Data Encryption Standard (DES) or 3DES encryption algorithms. Data integrity is ensured using MD5 or 
SHA1 as it is transported across the public infrastructure. In addition, Internet Key Exchange (IKE) can be 
used for user authentication supporting public and private keys or digital certificates, assuring that the 
proper VPN tunnel is established and that the tunnel has not been redirected or compromised. 

NetVanta 2000 series are Internet Protocol Security (IPSec) compliant devices that supports both ESP and 
AH protocols and provides secure communication over potentially unsecure network components. Acting 
as a security gateway, the NetVanta 2050 and 2100 can provide up to 10 private encryption communication 
tunnels through the Internet with remote locations while the larger scale NetVanta 2300 offers support for 
up to 100 private encryption tunnels. For networks requiring more than 100 tunnels, the NetVanta 2400 
provides 1000 private encryption tunnels. The NetVanta 2000 series can also hide IP addresses from the 
external world by performing Network Address Translation (NAT). The internal router allows multiple 
users to share a VPN connection and can also direct incoming IP traffic. 

A remote NetVanta 2000 series can easily be configured and managed using a standard web browser. 
NetVanta 2000 series also have built-in alert and logging mechanisms for messaging and mail services. 
This enables the unit to warn administrators about activities that are going on in the network by logging 
them into a Syslog server or sending an email to the administrator. 

Unlike a software implemented VPN solution, which depends on local CPU and memory performance to 
implement encryption, the NetVanta 2000 series are standalone, hardware platforms that off-load the CPU 
intensive encryption process. 3DES encryption significantly impacts CPU performance, possibly slowing 
all the local processes on the computer. Since the NetVanta 2000 series offers dedicated processing 
platforms to drive the encryption process, local computer performance is unaffected. 
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2. FEATURES AND BENEFITS 

The NetVanta 2000 series provide granular control over network access that includes maximum security, 
data authenticity and privacy, and significant ease of use. The major features of the NetVanta 2000 series 
are described below. 

Physical Interfaces 

WAN: RJ-45 10/100 Auto-sensing ethernet interface 
LAN: RJ-45 10/100 Auto-sensing ethernet interface 

• Serial Port: RS-232 for off-net configuration (NetVanta 2300 Only) 
DMZ: RJ-45 10/100 Auto-sensing ethernet interface 

Firewall Features 

Stateful inspection firewall 
Application content filtering 
Cyber assault protection 

• HTTP relay 

Address Translation 

• Basic NAT (1:1) 

• NAPT (Many:l) 

Reverse NAT (translation of an inbound session's destination IP address) 

IPSec Tunnel 

Encapsulating Security Payload (ESP) 
Authentication Header (AH) 

Manual key management or automatic key management using Internet Key Exchange (IKE) 
X.509 certificate support 

• MD5-HMAC 128-bit authentication algorithm 

• SH A 1 -HM AC 1 60-bit authentication algorithm 

• DES-CBC 56-bit encryption 

• 3DES-CBC 1 68-bit encryption 

Administration 

Web-based management 
Syslog logging in WELF format 

• E-mail alerts (SMTP) 

User and group access control policies based on time-of-day 
User accounting policy statistics 
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DHCP 

Server (to manage IP addresses on local network) 

Client (to acquire the WAN-side IP address from service provider) 

PPPoE 

Client (to acquire the WAN-side IP address from service provider) 

Routing 

• TCP/IP 
Static routes 

• RIP (VI andV2) 

RIP with Authentication 
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1. EQUIPMENT DIMENSIONS 

NetVanta 2050 and 2100 

The NetVanta 2050 and 2100 units are 9.0" W, 6.375" D, and 1.625" H and come equipped for table top 
and wallmount use. An optional rackmount shelf is available from ADTRAN. 

NetVanta 2300 and 2400 

The NetVanta 2300 units arel7.25" W, 7.75" D, and 1.26" H and come equipped for rackmount use. 

2. POWER REQUIREMENTS 

NetVanta 2050 and 2100 

The NetVanta 2000 series has a maximum power consumption of 9W and a maximum current draw of 
800mA. 

NetVanta 2300 and 2400 

The NetVanta 2300 has a maximum power consumption of 1 1 W and a maximum current draw of 0.2A. 

3. REVIEWING THE FRONT PANEL DESIGN 

NetVanta 2050 

The NetVanta 2100 front panel monitors operation by providing status LEDs for both the LAN and WAN 
interfaces, as well as VPN tunnels and traffic. The front panel is shown in Figure 1. 




Figure 1. NetVanta 2050 Front Panel Layout 
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NetVanta 2100 

The NetVanta 2100 front panel monitors operation by providing status LEDs for both the LAN and WAN 
interfaces, as well as VPN tunnels and traffic. The front panel is shown in Figure 2. 




Figure 2. NetVanta 2100 Front Panel Layout 



NetVanta 2300 

The NetVanta 2300 front panel monitors operation by providing status LEDs for the LAN, WAN, and 
DMZ interfaces, as well as VPN tunnels and traffic. The front panel is shown in Figure 3. 







s s s s 





Figure 3. NetVanta 2300 Front Panel Layout 



NetVanta 2400 

The NetVanta 2300 front panel monitors operation by providing status LEDs for the LAN, WAN, and 
DMZ interfaces, as well as VPN tunnels and traffic. Additionally, a LCD display provides quick-glance 
access to the LAN IP parameters (IP address and subnet mask). The front panel is shown in Figure 4. 




Figure 4. NetVanta 2400 Front Panel Layout 
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Front Panel LEDs 

With the NetVanta 2000 series powered-up, the front panel LEDs provide visual information about the 
status of the system. Table 1 provides a brief description of the front panel features, and Table 2 provides 
detailed information about the LEDs. 



Table 1. NetVanta 2000 series Front Panel Description 



Feature 


Description 


PWR 


Indicates whether the unit has power. 


VPN (2050/2100 only) 


Indicates status of VPN negotiations. 


VPN TD 


Indicates VPN traffic transmitted by the NetVanta. 


VPN RD 


Indicates VPN traffic received by the NetVanta. 


VPN ACT (2300/2400 only) 


Indicates status of VPN Negotiations. 


LAN TD 


Indicates LAN traffic transmitted by the NetVanta. 


LAN RD 


Indicates LAN traffic received by the NetVanta. 


LAN LNK (2300/2400 Only) 


Indicates active physical link on the LAN port. 


WAN TD 


Indicates WAN traffic transmitted by the NetVanta. 


WAN RD 


Indicates WAN traffic received by the NetVanta. 


WAN LNK (2300/2400 Only) 


Indicates active physical link on the WAN port. 



Table 2. NetVanta 2000 series LEDs 



For these LEDs... 


This color light... 


Indicates that... 


PWR 


Red (solid) 


The unit has power and is in the boot process. 


Green (solid) 


Unit has power and has successfully completed the 
boot process. 


VPN 

(2050/2100 only) 

VPN ACT 
(2300/2400 Only) 


Amber (slow blink) 


Initial Phase 1 IKE negotiation in progress. 


Green (slow blink) 


Initial Phase 1 IKE negotiation completed successfully. 


Red (slow blink) 


Phase 1 IKE negotiation failed. 


Amber (fast blink) 


Phase 2 IKE negotiation in progress. 


Green (solid) 


Phase 2 IKE negotiation completed successfully. 


Red (fast blink) 


Phase 2 IKE negotiation failed. 


Amber and Green 
(alternating slow blink) 


There is an active tunnel and an additional IKE Phase 
1 negotiation in progress. 
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Table 2. NetVanta 2000 series LEDs (Continued) 



For these LEDs... 


This color light- 


Indicates that... 


VPN TD 


Green (blink) 


Flashes with VPN data transmitted by the NetVanta 
zuuu series. 


\/dm pn 


oreen ^DimKj 


riasnes wnn vmn aaxa receivea oy me iNexvania zuuu 
series. 


LAN TD 


Green (blink) 


Flashes with data transmitted on the LAN interface. 


i an pn 


vjiccil ^UIIIlKj 


ridollco Willi UdLd IcOclvcU Ull Lllc LMIN II llfcii IdUfc?. 


LAN LNK 
(2300/2400 Only) 


Green (solid) 


Unit has active physical connection on the LAN 
interface. 


WAN TD 


Green (blink) 


Flashes with data transmitted on the WAN interface. 


WAN RD 


Green (blink) 


Flashes with data received on the WAN interface. 


WAN LNK 
(2300/2400 Only) 


Green (solid) 


Unit has active physical connection on the WAN 
interface. 



4. REVIEWING THE REAR PANEL DESIGN 

NetVanta 2050 and 2100 

The NetVanta 2050 and 2100 rear panel contains 2 Ethernet ports, a DB-9 serial connection, and a power 
connection (see Figure 5). 




Figure 5. NetVanta 2050 Rear Panel Layout 
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NetVanta 2300 

The NetVanta 2300 rear panel contains 3 Ethernet ports, a DB-9 serial connection, and a power connection 
(see Figure 6). 




Figure 6. NetVanta 2300 Rear Panel Layout 



NetVanta 2400 

The NetVanta 2300 rear panel contains 3 Ethernet ports, a DB-9 serial connection, a power connection and 
ventilation openings (see Figure 7). 




WAN LAN DMZ 

III 



Figure 7. NetVanta 2400 Rear Panel Layout 



LAN Interface 

The NetVanta 2000 series provides a standard 10/ 100BaseT Ethernet interface for connection to the local 
corporate network. Connect the LAN interface to a hub located on your local corporate network. A DHCP 
Server is enabled on the LAN interface by default. References to the LAN interface include LAN, CORP, 
and EthO 



The LAN connection follows, and Table 3 shows the pinout. 



Connector Type RJ-48C 

Table 3. LAN Pinout 



Pin 


Name 


Description 


1 


TX1 


Transmit Positive 


2 


TX2 


Transmit Negative 


3 


RX1 


Receive Positive 


4,5 


UNUSED 




6 


RX2 


Receive Negative 


7, 8 


UNUSED 
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WAN Connection 

The NetVanta 2000 series provides a standard 10/100BaseT Ethernet interface for connection to the wide 
area network. Connect the WAN interface to a hub connected to the router interfacing with the non-secure 
Internet or the modem (cable or DSL) used for Internet access. A DHCP Client is enabled on the WAN 
interface by default. References to the WAN interface include Internet, WAN, and Ethl. 

Connector Type (USOC) RJ-48C 



Table 4. WAN Pinout 



Pin 


Name 


Description 


1 


TX1 


Transmit Positive 


2 


TX2 


Transmit Negative 


3 


RX1 


Receive Positive 


4,5 


UNUSED 




6 


RX2 


Receive Negative 


7,8 


UNUSED 





DMZ Connection (NetVanta 2300 and 2400 Only) 

The NetVanta 2300 and 2400 provide a standard 10/100BaseT Ethernet interface for providing public 
server access. Table 5 shows the pinout for the DMZ port. 

Connector Type (USOC) RJ-48C 



Table 5. DMZ Pinout 



Pin 


Name 


Description 


1 


TX1 


Transmit Positive 


2 


TX2 


Transmit Negative 


3 


RX1 


Receive Positive 


4, 5 


UNUSED 




6 


RX2 


Receive Negative 


7,8 


UNUSED 
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COM1 Interface 

The NetVanta 2000 series provides a DB-9 serial communication port for future command line. Table 6 
shows the pinout for the DB-9 connector. 

Connector Type DB-9 



Table 6. DB-9 Connector Pinout 



Pin 


Name 


Description 


1 


DCD 


Data Carrier Detect 


2 


RD 


Receive Data 


3 


TD 


Transmit Data 


4 


DTR 


Data Transmit Ready 


5 


SG 


Signal Ground 


6 


DSR 


Data Set Ready 


7 


RTS 


Request to Send 


8 


CTS 


Clear to Send 


9 


Rl 


Ring Indicator 



Power Connection 
NetVanta 2050 and 2100 

The NetVanta 2000 series includes a 12 VDC power supply. Connect the power supply to a standard 
120VAC, 60-Hz electrical outlet for proper operation. 

NetVanta 2300 and 2400 

The NetVanta 2300 and 2400 include an auto sensing 100-250 VAC, 50/60 Hz power supply with a three 
prong removable cable. Connect the power supply to a standard 120 VAC, 60 Hz or 220 VAC, 50 Hz 
electrical outlet for proper operation. 
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5. AT-A-GLANCE SPECIFICATIONS 

Table 7 lists the specifications for the NetVanta 2000 series system. 



Table 7. Specifications 



Application 


Feature 


Specification 


Firewall 




Stateful Inspection Firewall 


Provides support against the following 
attacks: IP Spoofing, Land Attack, Ping of 
Death, and Reassembly Attack 

Provides checks for the following attacks: 
ICMP Redirect, Syn Flooding, Winnuke, and 
Source Routing 


IPSEC Tunnel 




Encryption 


Encapsulating Security Payload (ESP) 
DES-CBC 56-bit encryption 
3DES-CBC 168-bit encryption 




Authentication 


Authentication Header (AH) 

MD5-HMAC 128-bit authentication algorithm 

SHA1-HMAC 160-bit authentication algorithm 




Certificate Support 


X.509 certificate support 




IKE 


Manual key management for automatic key 
management 
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Table 7. Specifications (Continued) 



Application 


Feature 


Specification 


DHCP 




Server 


Supports three IP address ranges on local 
network 

User defined lease duration 
Real time status of active leases 




Client 


Ability to acquire the WAN-side IP address 
from Service Provider DHCP Server 


Routing 




RIP 


Supports RIP v1 , RIP v2 and a combination of 
both 

Separate RIP Configuration for the LAN and 
WAN side 

Supports RIP using Authentication Keys 


Address Translation 




NAT 


Supports one-to-one NAT (Static NAT) 




NAPT 


Supports many-to-one (Dynamic NAT) 




Reverse NAT 


Translates an inbound session destination IP 
address 
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Table 7. Specifications (Continued) 



Application 


Feature 


Specification 


Administration 




Web Management 


Provides a GUI (graphical user interface) for 
configuring the NetVanta 2000 series 




SYSLOG 


Provides levels for logging events to an active 
SYSLOG server on the network 




E-Mail Alerts 


Capability to e-mail an alert message when 
programmed thresholds are reached 




Statistics 


User monitoring, policy, and access statistics 
available 
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1. INTRODUCTION 

This section discusses the installation process of the NetVanta 2000 series systems. 

2. TOOLS REQUIRED 

The tools required for installation of the NetVanta 2000 series systems are: 

CATV-UTP Ethernet cable to connect the unit to the existing network 
• An Internet browser for configuring the unit 




To prevent electrical shock, do not install equipment in a wet location or during a 
lightning storm. 



3. UNPACK AND INSPECT THE SYSTEM 

Each NetVanta 2000 series unit is shipped in its own cardboard shipping carton. Open each carton 
carefully and avoid deep penetration into the carton with sharp objects. 

After unpacking the unit, inspect it for possible shipping damage. If the equipment has been damaged in 
transit, immediately file a claim with the carrier, then contact ADTRAN Customer Service (see Customer 
Service, Product Support Information, and Training in the front of this manual). 

Contents of ADTRAN Shipments - NetVanta 2050 and 2100 

Your ADTRAN shipment includes the following items: 

• The NetVanta 2050 or 2 1 00 Unit 

• The NetVanta 2000 series User Manual CD (ADTRAN P/N 3253041) 

• AC Power supply - (ADTRAN P/N 336012 VUR01) 

Crossover Ethernet cable for connecting the NetVanta 2100 directly to a PC 
(ADTRAN P/N 8125M012) 

Contents of ADTRAN Shipments - NetVanta 2300 and 2400 

Your ADTRAN shipment includes the following items: 

• The NetVanta 2300 or 2400 Unit 

• The NetVanta 2000 series User Manual CD (ADTRAN P/N 3253041) 

• AC Power cable (ADTRAN P/N 3 127009) 

(2) Brackets for installing the unit in a rackmount configuration (ADTRAN P/N 3265479) 
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4. SUPPLYING POWER TO THE UNIT 
NetVanta 2050 and 2100 

The AC powered NetVanta 2050 and 2100 come equipped with a detachable 12 VDC at 800 mA 
wallmount power supply for connecting to a grounded power receptacle. As shipped, the NetVanta 2050 
and 2100 are set to factory default conditions. After installing the unit, the NetVanta 2050 and 2100 are 
ready for power-up. To power-up the unit, connect the unit to an appropriate power source. 

This unit shall be installed in accordance with Article 400 and 364. 8 of the NEC NFPA 
70 when installed outside of a Restricted Access Location (i.e., central office, behind a 
locked door, service personnel only area). 

Power to the NetVanta 2050/2100 AC system must be from a grounded 90-130 VAC, 
50/60 Hz source. 

The power receptacle uses double-pole, neutral fusing. 
Maximum recommended ambient operating temperature is 45 °C 



NetVanta 2300 and 2400 

The AC powered NetVanta 2300 adn 2400 come equipped with an auto-sensing 100-240 VAC, 50-60 Hz 
power supply for connecting to a grounded power receptacle. A grounded three plug detachable cable is 
included with the shipment. As shipped, the NetVanta 2300 and 2400 are set to factory default conditions. 
After installing the unit, the NetVanta 2300 and 2400 are ready for power-up. To power-up the unit, 
connect the unit to an appropriate power source. 

This unit shall be installed in accordance with Article 400 and 364.8 of the NEC NFPA 
70 when installed outside of a Restricted Access Location (i.e., central office, behind a 
locked door, service personnel only area). 

Power to the NetVanta 2300/2400 AC system must be from a grounded 100-240 VAC, 
50/60 Hz source. 

The power receptacle uses double-pole, neutral fusing. 
Maximum recommended ambient operating temperature is 45 °C 



5. INSTALLING NETVANTA 2000 SERIES MANAGEMENT COMPONENTS 

Configuring the NetVanta 2000 series unit through the web interface requires a host computer with an 
Ethernet interface and a web browser. ADTRAN recommends using Internet Explorer 5.0 or greater for 
optimal viewing of configuration web pages. 

The NetVanta 2000 series of products contains a default IP address of 10.10.10.1 and a netmask of 
255.255.255.0. Select an IP address in the same range as the NetVanta unit and assign it to the host 
computer running the web browser. An example IP address is 10.10.10.10 with a subnet mask of 
255.255.255.0. This section contains detailed procedures for assigning the selected IP address to a host 
computer for each of the popular operating systems. 
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If you have a PC with DHCP client capabilities enabled, connect the NetVanta 2000 series 
unit directly to your computer using the supplied ethernet crossover cable and follow the 
procedure in DLP-1, Connecting to the Netvanta 2000 Series to connect for the first time. 



^ The NetVanta 2000 series products have a DHCP Server capabilities enabled by 
3 default. Connecting the unit to a network with a functioning DHCP server can cause 
IP address assignment conflicts. 




For any operating system not discussed in this section, refer to the system s user 
documentation for instructions on assigning IP addresses. 



Browsing Hosts Running Microsoft Windows NT, Windows 2000, or Windows 98/95 

1 . Follow the menu path Start>Settings>Control Panel. 

2. After the Control Panel appears, double-click the Network icon to display the existing network 
configuration. 

3. Select TCP/IP from the list of installed network components. If there are multiple sessions, select 
the one for the Ethernet card in the host computer. 

4. Click Properties, which shows the existing properties of the TCP/IP protocol running on the host 
computer in a multi-paned window. 

5. Select the IP Address pane by clicking on it. 

6. Check the Specify an IP Address radio button. 

7. Enter the IP Address as: 10.10.10.50 and Subnet Mask as: 255.255.255.0. 

8. Click OK to close the properties window. 

9. Click OK on the network configuration window, which will ask you to reboot the browser 
computer. 

10. Click Yes to reboot your computer. 

Browsing Hosts Running POSIX-Compliant UNIX 

1 . Log in as root, or change to superuser. 

2. Run the ifconfig command -a option to list the configured network interfaces in the system. This 
will show the Ethernet interface name as well. For example: 

#ifconfig -a 

loO: flags=863<UP,LOOPBACK, RUNNING, MULTICAST> mtu 8232 inet 127.0.0.1 netmask 
ffOOOOOO 

hmeO: flags=863<UP,BROADCAST,NOTRAILERS, RUNNING, MULTICAST mtu 1500 
inet 192.103.55.186 netmask ffffffOO broadcast 192.103.255.255 
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ether 8:0:20:a8:38:c6 

3. Change the IP address of the Ethernet interface to 10.10.10.50 with subnet mask 255.255.255.0 by 
using the ifconfig command. For example: 

# ifconfig ethO 10.10.10.50 netmask 255.255.255.0 

4. Run the ifconfig command -a option again to make sure the interface address change is effective. 
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1 . NAVIGATING THE ADMINISTRATION CONSOLE 

The NetVanta 2000 series uses a web-based Administration Console for displaying both menu options and 
data fields. All menu options display in the Administration Console Header (see Figure 1), through which 
you have complete control of the NetVanta 2000 series. 
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Figure 1. NetVanta 2000 series Administration Console 



Administration Console 

The Administration Console shows the available areas of configuration for the NetVanta 2000 series and 
the appropriate menu selections. This header remains visible as you navigate through the individual menu 
pages. The console contains a main menu bar and a menu list. 

Menu Bar 

The Administration Console menu bar displays the four areas of configuration for the NetVanta 2000 
series. They are Config, Admin, Policies, and Monitor. Selecting an area of configuration by clicking on 
the hyperlink displays the applicable menu options in the menu list (located on the left side of the screen). 

Menu List 

The Administration Console menu list displays the selections available from the active menu (enable the 
desired menu from the menu bar). Each menu list selection is a hyperlink which displays the applicable 
menu items and data fields in the display window. 
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2. MENU OVERVIEW 

The NetVanta 2000 series configuration is divided into four main areas: Config, Admin, Policies, and 
Monitor. This section gives a brief discussion of each area and the menu options available. Menu 
Descriptions on page 39 and following gives a more detailed discussion of these menu options. 



Config 

The Config menu contains the basic configuration parameters of the NetVanta 2000 series box including 
IP addresses assigned to the network interfaces, setting up a routing table, Firewall settings, and DHCP 
server configuration. Figure 2 shows the available menu options (displayed in the option list) for the 
Config menu. 
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Figure 2. Config Menu Information 
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Admin 

The Admin menu contains the various system administration activities on the NetVanta 2000 series box 
such as changing the root password, saving the configuration to permanent storage, factory defaults, and 
rebooting the system. Figure 3 shows the available menu options (displayed in the option list) for the 
Admin menu. 
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Figure 3. Admin Menu Information 
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Policies 



The Policies menu contains the system wide access policies and user-group specific access policies. 
Through the available menu options you can define the policies and determine how to maintain different 
policy component tables (see Figure 4). 



=!' Experts Choose AD T RAN - Microsoft Internet Exploi 



Address |g] http://1 0.200.1 .1 41 /iapgtab.htm 



~3 (>Go 



D 

j Links »| 





NetVanta 2300 


h CONFIG 


h ADMIN 


h POLICIES 


h MONITOR 


LOGOUT 





Manage Lists 
> User Groups 



User Group 




Select Group Name HTTP Authentication IKE Authentication Access Policies SPD Policies 
Add | Delete | Edit | Clear | ConfiguredPolicies [ 



^ 

1 £ Internet 

Figure 4. Policies Menu Information 
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Monitor 



The Monitor menu contains all information pertinent to policy statistics, user accounting, and log usage. 
Through the available menu options you can view the status of remote user sessions, configure the log 
message categories, and view the log messages stored in the NetVanta 2000 series event log queue. Figure 
5 shows the available menu options (displayed in the option list) for the Monitor menu. 
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Figure 5. Monitor Menu Information 



38 



©2002 ADTRAN, Inc. 



61200361L1-1E 



NetVanta 2000 Series System Manual 



Section 4, User Interface Guide 



3. MENU DESCRIPTIONS 

The NetVanta 2000 series comes pre-configured with a default IP address of 10.10.10.1 assigned to the 
corporate interface (LAN). To begin the configuration of the NetVanta 2000 series, point the active 
browser on your computer to http://1 0.10.10.1 . Once the browser has successfully connected to the unit 
you will be presented with the login screen. You must log in using a valid user name and password to start 
the NetVanta 2000 series configuration in a MD5 authenticated web session. When setting up the first 
MD5 authenticated session, the default user name is admin. There is no password set for this user. Refer to 
DLP-001, Connecting to the Netvanta 2000 Series, for more instructions on logging in to the unit. 

Enter admin in the user name field and click on the Login Now button. The NetVanta 2000 series Welcome 
page will display after the login process has been successfully completed. You can now proceed with the 
NetVanta 2000 series configuration. 




ADTRAN strongly recommends immediately changing the admin password. Refer to 
DLP-002, Changing the Admin Password in the NetVanta. 



> CONFIG 

This section discusses the basic configuration of the NetVanta 2000 series including IP addresses assigned 
to the network interfaces, setting up a routing table, Firewall settings, and DHCP server configuration. 

The basic configuration of the NetVanta 2000 series can be displayed by clicking on the Con fig menu on 
the Administration Console. Basic configuration includes setting the date and time on the box, network 
interface configuration, setting up the IP routing table, basic firewall configuration, event logging 
configuration, web proxy configuration, and DHCP (Dynamic Host Configuration Protocol) server 
configuration. 

> Config > General 

The General Configuration page is displayed by clicking on General found in the menu list on the left 
side of the display window. 

This page displays the important information of your NetVanta 2000 series system including the Serial 
Number, current Firmware Version, and System Up Time. Please have this information available before 
contacting the ADTRAN Technical Support team at (888) 4-ADTRAN (423-8726). 

To set the system date and time, enter the current date in the form mm-dd-yyyy (example: March 3, 2001 is 
03-03-2001) and time in the form hours:minutes:seconds (example 11:02 pm is 23:02:00). Select the 
Change Date and Time? checkbox and click the Submit button to enter the new date and time. 

The DNS server configuration for the NetVanta 2000 series is also located on the General Configuration 
page. If the NetVanta 2000 series needs to resolve domain names it will use the DNS server IP address 
configured here. Configuring a DNS server IP address is optional. 
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> Config > Network Interface 

The Network Interface configuration page is displayed by clicking on Network Interface found in the 
option list on the left side of the display window. 

> Config > Network Interface > Ethernet Config > Ethernet IP Address 

The Ethernet IP Address section contains the information for both the Corporate (LAN) and WAN IP 
addresses, and subnet masks. 

The Corporate IP and Subnet Mask fields should be configured with parameters that correspond to the 
corporate network connected to the LAN interface located on the back of the NetVanta 2000 series unit. 

The WAN IP Type should be set to Dynamic if your ISP is using DHCP to assign IP addresses dynamically 
or STATIC if your ISP has assigned you a specific IP address to use each time you connect. If your WAN IP 
Type is Static, the WAN IP and Subnet Masks fields should be configured with the specific information 
provided by your ISP. 

The NetVanta 2000 series also supports PPPoE (PPP over Ethernet) to obtain a WAN interface IP address. 
Select the PPPoE radio button and enter the Username and Password provided by your ISP in the 
appropriate fields. 

> Config > Network Interface > Rip Config > Rip Configuration 

The Rip Configuration field selects the RIP version being used by the NetVanta 2000 series. RIPONE is 
standard Rip VI. The NetVanta 2000 series supports RIP VI on both the LAN and WAN interfaces. 
RIPTWO is standard RIP V2. NetVanta 2000 series supports RIP V2 on both the LAN and WAN 
interfaces. RIPCOMP is a combination of RIP VI and RIP V2. When configured for RIPCOMP, the 
NetVanta 2000 series is capable of listening to RIP VI updates while maintaining full compatibility with 
RIP V2 systems. 

> Config > Network Interface > Rip Config > Authentication Type 

The Authentication Type field configures the NetVanta 2000 series to use the selected authentication when 
performing RIP functions. If authentication is configured, other systems providing the NetVanta 2000 
series with RIP updates must be configured for matching authentication. The NetVanta 2000 series 
supports both SIMPLEAUTH (using a single password) or MD5 authentication (requiring the use of keys 
entered in the MD5 AUTH KEY ID and MD5 AUTH KEY fields. 

> Config > Network Interface > DHCP Info 

The DHCP Info table for the NetVanta 2000 series displays the current DHCP client interface information 
for both the LAN and WAN ports. This table is only valid if the NetVanta 2000 series is connected to a 
network with an active DHCP server. 

> Config > Routes 

The Routing table for the NetVanta 2000 series can be reached by clicking on Routes found in the menu 
list on the left side of the display window. The following is a description of the routing table fields. 
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> Config > Routes > Destination IP 

The Destination IP address field displays the IP address of the destination network for the route. The 
NetVanta 2000 series uses this information when making routing decisions. 

> Config > Routes > Interface Name 

The Interface Name field displays the name of the interface that is accessed to send data using the listed 
route. The options are: ethO (the LAN port located on the back panel of the unit) and eth1 (the WAN port 
located on the back panel of the unit). 

> Config > Routes > NetMask 

The Net Mask field displays the current subnet mask used for the listed route. Subnet masks are used to 
identify subnetworks to allow for IP sharing on a LAN. 

> Config > Routes > Gateway IP 

The Gateway IP field displays the IP address of the first intelligent device that intercepts and steers data 
for its assigned network. The IP route table for the gateway of a network should contain routes to all 
available subnets on the network. 

> Config > Routes > Hop Count 

The Hop Count field displays the number of gateways datagrams pass through when taking this route to 
their destination. 

> Config > Routes > Type 

The Type field designates whether a route was configured or learned. Configured routes show up as 
Local. Learned routes show up as Dynamic. 

> Config > Routes > Delete Route 

Select the routing entry you want to delete by choosing the corresponding checkbox and clicking the 
Delete Route button. This will delete the selected route entry. 




Before clicking the Delete Route button, make sure that you have selected the correct 
routing entry. Removing the routing entry for a destination may make it inaccessible. 



> Config > Firewall 

The Firewall Configuration page can be accessed by clicking on Firewall found in the menu list on the 
left side of the display window. This page provides control to activate different cyber attack checks. The 
event logging thresholds for cyber attacks are also configured on the Firewall Configuration page. 
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> Config > Firewall > IP Spoofing Check 

IP Spoofing is a network intrusion that occurs when an outside user gains access to a computer on the 
network by pretending to be at a trusted IP address. IP Spoofing Check is always Enabled, and the 
NetVanta 2000 series discards any packets received on the WAN interface containing a source IP address 
on the corporate network. 

> Config > Firewall > Ping of Death Check 

Ping of Death is a denial of service attack which exploits the errors in the oversize datagram handling 
mechanism of a TCP/IP stack. Many popular operating systems have difficulty handling datagrams larger 
than then maximum datagram size defined by the IP standard. If hosts running these operating systems 
encounter oversized ping packets, it is likely they will hang or crash causing network problems. Ping of 
Death Check is always Enabled, and the NetVanta 2000 series becomes the central entry point for all 
traffic entering the corporate network and it watches for such non-standard IP datagrams to filter them 
before they reach vulnerable hosts on the network. 

> Config > Firewall > Land Attacks Check 

Land Attacks are a special type of denial of service attack on TCP-based services such as HTTP, SMTP, 
and FTP. In a Land Attack an attacker forges the equal values for the source and destination port, and 
source and destination IP addresses. These port values are often the well-known service port values, and 
the IP addresses are the target hosts 's IP address. This attack exploits the inappropriate implementation of 
the TCP connections establishment protocol in a TCP/IP stack; as a result the target server enters an 
uncontrollable infinite spin and eventually the system crashes. Land Attack Check is always Enabled, 
and the NetVanta 2000 series ensures that all service requests made to any of the hosts in the corporate 
network are Land Attack free. 

> Config > Firewall > Reassembly Attack 

Datagrams traveling in the Internet may pass through heterogeneous networks which require them to be 
fragmented and reassembled at their destinations. Certain popular TCP/IP implementations cannot handle 
all datagram reassembly scenarios properly. If an attacker sends datagram fragments to a host with limited 
datagram reassembly capabilities the host is likely to behave unpredictably. Reassembly Attack is always 
Enabled, and the NetVanta 2000 series invokes its robust datagram reassembly engine to perform the 
datagram reassembly strictly conforming to IP standards. 

> Config > Firewall > SYN Flooding Attack Check 

SYN Flooding is a well-known denial of service attack on TCP based services. TCP requires a 3 -way 
handshake before the actual communications between two hosts begins. A server must allocate resources 
to process new connection requests that are received. A malicious intruder is capable of transmitting large 
amounts of service requests in a very short period causing servers to allocate all resources to process the 
incoming requests. If SYN Flooding Attack Check is selected, the NetVanta 2000 series filters out phony 
service requests and allows only legitimate requests to pass through. 
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> Config > Firewall > ICMP Redirect Check 

ICMP Redirect is a standard ICMP message used to provide hosts with better route information to the 
source. When this message is received, the recipient updates its routing table with the new routing 
information provided with no authentication required. An intruder can provide a target with the route 
information of his or her interest thereby gaining access to the hosts routing table. It is possible for an 
intruder to access the data originated from the target hosts once the hosts routing table has been 
compromised. If ICMP Redirect Check is Enabled, the NetVanta 2000 series discards all ICMP Redirect 
messages. 

> Config > Firewall > Source Routing Check 

Strict and loose source routing (as specified in IP standard RFC 791) allows datagrams to take a predefined 
path towards a destination. An intruder can gain detailed information about the corporate network by 
tracking datagrams through the corporate network. If Source Routing Check is Enabled, the NetVanta 
2000 series filters out all datagrams that contain the strict or loose source routing option. 

> Config > Firewall > WinNuke Attack Check 

WinNuke attack is a well-known denial of service attack on hosts running Windows operating systems. A 
malicious intruder sends Out of Band (OOB) data over an established connection to a Windows user. 
Windows cannot properly handle the OOB data and the host reacts unpredictably. Normal shut-down of the 
hosts will generally return all functionality. If WinNuke Attack Check is selected, the NetVanta 2000 
series filters OOB data to prevent network problems. 

> Config > Firewall > Event Logging Thresholds 

Event logging thresholds prevent large quantities of duplicate logs if the NetVanta 2000 series or the 
corporate network connected to it is under attack. 

The Log Attacks for Every threshold indicates the number of attack mounting attempts the NetVanta 
2000 series should see before generating a log message. The default value for an attack log threshold is 
100. 

The Log Policy for Every threshold defines the number of connections required by an access policy 
through the NetVanta 2000 series before a log message is generated for that policy. The default value for 
the policy access log threshold is 100. 

The Log VPN for Every threshold defines the number of VPN enabled connections required by a VPN 
policy before generating a log message for that policy. The default value for the VPN log threshold is 100. 

> Config > Logging 

The NetVanta 2000 series periodically exports event log messages to well-secured external systems for 
secondary storage. The NetVanta 2000 series provides two industry-standard ways to export the event log: 
e-mail and syslog. Log messages may be e-mailed to specified addresses, exported to a standard syslog 
service, or a combination of both. The Logging Configuration page is displayed by clicking on Logging in 
the menu list on the left side of the display window. 
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> Config > Logging > Log Export System 

The Syslog Configuration page is displayed by clicking on the Log Export System hyperlink listed as a 
Logging submenu in the menu list. The configuration parameters for exporting event log messages using 
the syslog service are displayed on this page. 

> Config > Logging > Log Export System > Log Queue Length 

The Log Queue Length field defines the number of events to be collected in the log queue before 
triggering the log export process. 

> Config > Logging > Log Export System > Logtime Threshold 

The Logtime Threshold defines the maximum time interval (in minutes) which passes before triggering 
the log export process. 

> Config > Logging > Log Export System > Device Name 

The Device Name field is an alphanumeric string attached to each log and alert message. This helps 
identify the event log messages generated by the NetVanta 2000 series in a common log file. Using a 
descriptive firewall name is useful when searching through the large log files. 

> Config > Logging > Log Export System > Enable Syslog Notification 

The Enable Syslog Notification check box configures the NetVanta 2000 series to export the log to the 

syslog service. 

> Config > Logging > Log Export System > Syslog Server 

The Syslog Server field defines the syslog server's IP address. The syslog server should be maintained 
on the corporate network. 

> Config > Logging > Log Export System > Syslog Facility 

The Syslog Facility drop-down menu selects the syslog priority level which the NetVanta 2000 series uses for 
exporting log entries to the syslog service. Nine priority levels are provided ranging from SYSLOG LOCAL0 
to SYSLOG LOCAL8. Choose any one of these priority levels and configure the syslog service accordingly. 
For configuring the syslog service on the server, refer to the syslog documentation. 

> Config > Logging > Log Export System > Enable E-Mail Notification 

The Enable E-Mail Notification check box configures the NetVanta 2000 series to export event logs through 
e-mail. 

> Config > Logging > Log Export System > Mail Server Address 

The Mail Server Address field defines the IP address of the SMTP server used by the NetVanta 2000 
series to e-mail out the log. 
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> Config > Logging > Log Export System > Return Mail Address 

The Return Mail Address field is an alphanumeric string that appears in the 'From:' field in all e-mail 
containing the NetVanta 2000 series event log messages. 

> Config > Logging > Log Export System > EMail General Log to: 

The EMail General Log to: address is used by the NetVanta 2000 series when exporting event log 
messages via e-mail. 

> Config > Logging > Log Export System > EMail Alert Log to: 

The EMail Alert Log to: address allows the NetVanta 2000 series to send alert logs only to the specified 
address. 

> Config > DHCP Server 

The NetVanta 2000 series is equipped with Dynamic Host Configuration Protocol (DHCP) server 
capabilities. A DHCP server eliminates static network configuration for hosts connected to the corporate 
network by configuring them dynamically. A DHCP server manages the IP address pool in the corporate 
network by leasing IP addresses to requesting hosts. It also supplies DNS configuration and default route 
information to the requesting hosts. All requesting hosts must be running DHCP enabled operating 
systems. 

> Config > DHCP Server > DHCP Config 

The DHCP Config page is displayed by clicking on the DHCP Config hyperlink listed as a DHCP server 
submenu in the menu list. A description of the DHCP Server Configuration parameters follows. 

> Config > DHCP Server > DHCP Config > DHCP Enabled 

The DHCP Enabled radio button allows you to enable or disable the DHCP server capabilities of NetVanta 
2000 series. 

> Config > DHCP Server > DHCP Config > IP Address Range 

IP Address Range (1-3) fields specify up to three disjoint IP address ranges for leasing IP addresses to 
DHCP enabled hosts. The IP address ranges must be included in the corporate network. 

> Config > DHCP Server > DHCP Config > Gateway IP Address 

The Gateway IP Address field specifies the default gateway supplied to DHCP enabled hosts. Normal 
configuration requires this to be populated with the IP address assigned to the LAN port of NetVanta 2000 
series. 

> Config > DHCP Server > DHCP Config > DNS1/DNS2 

The DNS 1-2 fields define the primary and secondary DNS server IP addresses supplied to the DHCP 
enabled hosts in the corporate network. 
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> Config > DHCP Server > DHCP Config > Lease Duration 

The Lease Duration field defines the amount of time (in seconds) that a DHCP enabled host may lease an 
assigned IP address. At the end of the lease duration, the host must send the DHCP server a lease renewal 
request for the assigned IP address. If the request is denied the host must relinquish the address and send a 
request for a new IP address to be assigned. 

> Config > DHCP Server > Active Leases 

The Active Leases page displays the DHCP leases that have been assigned (by the NetVanta 2000 series 
DHCP server) to devices located on the LAN network. 

> Config > DNS Server 

The NetVanta 2000 series comes equipped with a DNS server. To enter DNS names to the DNS Server 
lookup table, enter the DNS Name in the appropriate field and the corresponding IP address beside it in the 
IP Address field. 

> Config > Advanced 

The Advanced Configuration page is displayed by clicking Advanced in the menu list located on the left 
side of the display window. The NetVanta 2000 series advanced configuration includes, box access 
configuration and service timeout parameters. 

> Config > Advanced > Box Access 

The Box Access Configuration page is displayed by clicking on the Box Access hyperlink listed as an 
Advanced Configuration submenu in the menu list. This page defines the access scheme for the NetVanta 2000 
series system including both corporate network (LAN) and Internet (WAN) access. 

> Config > Advanced > Box Access > LAN 

The Always Allow Admin Login field defines a specific IP address that overrides the Allow Admin Login 

status for the NetVanta 2000 series corporate network (LAN) interface. NetVanta 2000 series remote 
administration is always allowed from the host having the specific IP address configured in this field. 




Only use a trusted host IP address in the Always Allow Admin Login field. 



The Allow Admin Login check box enables the NetVanta 2000 series HTTP configuration access from the 
corporate network (LAN) interface. By default, HTTP configuration access is enabled from the corporate 
network (LAN) interface. 

The Allow Ping check box controls the NetVanta 2000 series's response to ICMP Echo Request messages 
received on the corporate network (LAN) interface. Selecting this checkbox configures the NetVanta 2000 
series to reply to the ICMP Echo Request received on the LAN interface. By default, Ping response is 
enabled on the corporate network (LAN) interface. 



46 



©2002 ADTRAN, Inc. 



61200361L1-1E 



NetVanta 2000 Series System Manual 



Section 4, User Interface Guide 



> Config > Advanced > Box Access > WAN 

The Allow Admin Login check box enables the NetVanta 2000 series HTTP configuration access from the 
Internet (WAN) interface. By default, HTTP configuration access is disabled on the Internet (WAN) 
interface. 

The Allow Ping check box controls the NetVanta 2000 series's response to ICMP Echo Request messages 
received on the Internet (WAN) interface. Selecting this checkbox configures the NetVanta 2000 series to 
reply to the ICMP Echo Request received on the WAN interface. By default, Ping response is disabled on 
the Internet (WAN) interface. 

Disabling ping on the Internet (WAN) network interface filters out ICMP -based trace route traffic and 
gives implicit protection to the ADVANTA 2100 and the corporate network behind it from many ICMP 
Echo message based cyber attacks (Ping of Death, Ping Flood, Smurf, etc.). 

The Allow Telnet check box enables telnet access to the NetVanta 2000 series system on the Internet 
(WAN) interface. By default, telnet access to the ADVANTA 2100 is disabled on the Internet (WAN) 
interface. 

> Admin 

This section discusses all system administration activities including changing passwords, saving the 
NetVanta 2000 series configuration to permanent storage, and factory defaulting the system. The system 
administration options can be displayed by clicking on the Admin menu on the Administration Console. 

> Admin > Change Password 

The Password Setting page allows the user to change the current password. Click on Change Password 
found in the menu list on the left side of the display window. Refer to DLP-002, Changing the Admin 
Password in the NetVanta for more details. 

> Admin > Change Password > Old Password 

Enter the existing password in the Old Password field. Leave this field blank when setting the admin 
password for the first time. 

> Admin > Change Password > New Password 

Enter the new password in the New Password field. A valid password is any alphanumeric string up to 16 
characters in length. 

> Admin > Change Password > Confirm New Password 

Re-enter the new password in the Confirm New Password field. 

> Admin > Change Password > Session Timeout 

The Session Timeout field defines the length of time (in seconds) that a user session may be inactive 
before the NetVanta 2000 series automatically performs a forced logout. The default Session Timeout is 

300 seconds. 
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> Admin > Reboot System 

The Reboot System page allows users to reboot the NetVanta 2000 series system from a remote location. 
Click on Reboot System found in the option list on the left side of the display window to display the 
Reboot System page. 

Rebooting the NetVanta 2000 series system requires confirmation. Click Yes to proceed with the reboot 
sequence or No to cancel. When you restart the system, the following actions take place: 

1. The NetVanta 2000 series is unresponsive until the system reboot sequence is complete. 

2. All network accesses currently active in the system will be terminated/interrupted until the system 
reboot sequence is complete. 

3. The NetVanta 2000 series reboot sequence is approximately 30 seconds in length. To resume 
configuration of the NetVanta 2000 series successfully complete the login procedures. 

4. After a system reboot, the NetVanta 2000 series resumes service using the last saved configuration. 
To ensure a configuration change becomes permanent save the configuration once all changes are 
complete. For saving configuration procedure details refer to > Admin > Save Settings on page 48. 

> Admin > Save Settings 

During an NetVanta 2000 series web session all configuration changes are immediately implemented. The 
updated configuration is not saved to flash memory until a manual configuration download is performed. 
Until the configuration is saved to flash memory, it is not available across power failures and system 
reboots. To save the current configuration of the NetVanta 2000 series, click on Save Settings found in 
the option list on the left side of the display window. Saving the NetVanta 2000 series system configuration 
requires confirmation. Click Yes to proceed with the configuration download or No to cancel. Once the 
configuration download is complete a confirmation message is displayed. Refer to DLP-003, Saving the 
Current Settings of the NetVanta for more details. 

> Admin > Factory Defaults 

Restore the NetVanta 2000 series to default configuration by clicking on Factory Defaults found in the 
menu list on the left side of the display window. Factory defaulting the NetVanta 2000 series requires 
confirmation. Click Yes to proceed with the factory default process or No to cancel. During the factory 
default process, the NetVanta 2000 series erases the current configuration from memory and displays the 
operation progress. When the configuration erase procedure is complete (estimated duration is a few 
seconds) an operation completion message will be displayed and you will be instructed to reboot the 
system manually to restore the factory default configuration. Refer to > Admin > Reboot System on page 
48 for instructions on rebooting the NetVanta 2000 series system. Refer to DLP-021, Restoring the 
NetVanta to Factory Defaults for more details. 
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> Admin > Upgrade Firmware 

The NetVanta 2000 series firmware may be upgraded using the Upgrade Firmware page. Refer to 
DLP-008, Upgrading the Firmware of the NetVanta 2000 series for more details. 

When displaying the Upgrade Firmware page, a Windows security warning page will be 
displayed. Install and run the necessary file to continue the upgrade firmware process. 
This file is signed with full permissions by ADTRAN, Inc. 



> Admin > Configuration Transfer 

The NetVanta 2000 series supports configuration transfers from the unit (via either the LAN or WAN 
interface) using an active browser session. 

> Admin > Configuration Transfer > Configuration Download 

The NetVanta 2000 series configuration can be saved to a file by clicking on the Download button in the 
Configuration Download dialog box under Configuration Transfer. The Windows Download dialog 
box will appear, indicating that you have chosen to download a .bin file from this location. Select Save 
this file to disk and click OK. When the Windows Save As dialog box appears, enter the filename and 
select the location in which to store it. Click the Save button. A Windows Download Complete dialog 
box will appear, indicating the download is complete and the file has been saved. Click on Close. Refer to 
DLP-009, Saving the Current Configuration of the NetVanta for more details. 



If you want the Download Complete dialog box to automatically close when the download 
is complete, select that option inside the WINDOWS DOWNLOAD COMPLETE dialog box prior 
to selecting CLOSE. 



> Admin > Configuration Transfer > Configuration Upload 

A configuration can be uploaded into the NetVanta 2000 series by choosing the Configuration Upload 
dialog box under Configuration Transfer. If the filename is known, it can be entered directly into the 
file box. If the filename is not known, the user may select the Browse button. After clicking Browse, a 
Windows file browser will display. Select the appropriate file and click Open. Once the correct filename 
appears in the file box, click the Upload button. The following message will display: 

Upload done. The unit is rebooting with the new configuration... 

After waiting for the unit to complete the reboot cycle, the user should close out the active browser session, 
initiate a new session, and login to the unit as before. Refer to DLP-010, Loading a Saved Configuration 
into the NetVanta for more details. 

> Logout 

To logout of the NetVanta 2000 series system, click on Logout found on the right side of the menu bar. 
Logging out requires confirmation by clicking the Logout button on the logout confirmation dialog. After 
confirming the logout, the web session will immediately be terminated and the Logged Out 
Successfully page will be displayed. 
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> Policies 

This configuration section describes the various NetVanta 2000 series policies, including user access and 
VPN policies, and how to create and maintain different policy component tables. To make the policies 
configuration process easier, the NetVanta 2000 series is equipped with policy component tables that store 
configuration parameters that are used repetitively during configuration. These tables are divided into six 
categories: Users, User Groups, IP Address, Services, Schedule, and NAT. Policy component tables make 
policy configuration quick and dynamic. The policy component tables and their respective applications are 
discussed in this chapter. 

The Policies Configuration page is displayed by clicking the Policies menu found on the Administration 
Console. All access policies and policy component tables are accessed and configured through the 
Policies menu. These include Corporate Inbound and Outbound policies, VPN policies, and User-Group 
Access policies. 

> Policies > Manage Lists 

The Manage Lists Configuration page contains information and configuration parameters for the six policy 
component table categories and is displayed by clicking on Manage Lists found in the option list on the 
left side of the display window. 

> Policies > Manage Lists > Users 

The Users table is used to define and classify the user community. To display the Users table, click on the 
User hyperlink shown as a Manage Lists submenu in the menu list on the left side of the display window. 
Refer to DLP-014, Adding a User to the Users Component Table for more details. 

> Policies > Manage Lists > Users > User Name 

The User Name field defines an alphanumeric string (up to 64 characters in length) used as the user login 
name. The ADVANTA 2100 users use this respective User Name as a trigger to activate individual access 
and VPN policies. 

> Policies > Manage Lists > Users > Password 

The Password field defines an alphanumeric string (up to 64 characters in length) used as the user password 
used for web based authentication. 

> Policies > Manage Lists > Users > Confirm Password 

Re-enter the user password from the Password field in the Confirm Password text box. 

> Policies > Manage Lists > Users > Group Name 

The Group Name drop down menu defines the user group this user is assigned to. 




A user group must be configured in the USER GROUP table, before a specific user may be 
added. Refer to DLP-013, Defining a User Group in the NetVanta, for more details. 
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> Policies > Manage Lists > User Groups 

The User Groups table allows you to classify your network user community into multiple sets of similar 
users. Access and VPN policies can be created for a specific user group and members can be 
added/removed dynamically. For example, a user wants to access the Internet from the corporate network 
or vice versa and is required to login to the ADVANTA 2100 box first. Once the login is successful, the 
ADVANTA 2100 finds the user group for the new user. The NetVanta 2000 series then makes a copy of the 
user group's network access and VPN policies and activates them for the user's IP address. 

The User Groups table is displayed by clicking on the User Groups hyperlink shown as a Manage Lists 
submenu in the menu list on the left side of the display window. Refer to DLP-013, Defining a User Group 
in the NetVanta for more details. 

> Policies > Manage Lists > User Groups > Group Name 

The Group Name field defines an alphanumeric string (up to 20 characters) used as the name of the user 
group. 

> Policies > Manage Lists > User Groups > Authentication Type 

The Authentication Type checkbox allows you to set the authentication type for the selected user group 
for either HTTP or IKE. Enabling this option allows all users belonging to this user group to login to the 
ADVANTA 2100 and activate their policies. If this checkbox is left unchecked, the user group is disabled 
and members of the group cannot login to the NetVanta 2000 series. 

> Policies > Manage Lists > User Groups > IKE Policy Name 

The IKE Policy Name drop down menu displays a list of all available IKE policies. 




If Authentication Type is set to IKE, a specific IKE policy must be selected in the IKE 
Policy Name field. 



> Policies > Manage Lists > IP Address 

The IP Address table is used to save frequently used IP addresses. To display the IP Address table, click on 
the IP Address hyperlink shown as a Manage Lists submenu in the menu list on the left side of the display 
window. Refer to DLP-015, Using the IP Address Component Table for more details. 

> Policies > Manage Lists > IP Address > IP Name 

The IP Name field defines an alphanumeric string (up to 64 characters) used as the identifier for the IP 
address group. 
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> Policies > Manage Lists > IP Address > Address Category 

The Address Category field configures the IP address group to be an IP Range, an IP Subnet, a Single 

IP address, or Any IP address. 

An IP Range is a set of IP addresses defined by start and end addresses. To add an IP Range, enter the start 
IP Address in the IP Address 1 field and the end address in the IP Address 2 field. 

An IP Subnet is a set of IP addresses defined by a network address and subnet mask. To add an IP Subnet, 
enter the network address in the IP Address 1 field and the subnet mask in the IP Address 2 field. 




To add a Single IP Address, enter the specific address in the IP Address 1 field. 



> Policies > Manage Lists > Services 

The Services table defines the transport protocol options and configuration parameters. The Services table 
is displayed by clicking on the Services hyperlink shown as a Manage Lists submenu in the option list on 
the left side of the display window. Refer to DLP-016, Adding a Service to the Services Component Table 
for more details. 

> Policies > Manage Lists > Services > Service Name 

The Service Name field defines an alphanumeric string (up to 20 characters) used as the display name for 
the service. 

> Policies > Manage Lists > Services > Protocol Type 

The Protocol radio button allows you to define the transport protocol used by this service. 

> Policies > Manage Lists > Services > Service Port 

The Port Number field defines the port number used by this service. 

> Policies > Manage Lists > Schedule 

The Time Schedule table is used to define weekly time schedules to use when defining policies. To display 
the Time Schedule table, click on the Schedule hyperlink shown as a Manage List submenu in the menu 
list on the left side of the display window. 

To add a new time schedule record to the Time Schedule table, click the Add button in the Time Schedule 
dialog box. The Time Window Configuration page is displayed. A discussion of the fields listed on the 
Time Window Configuration page follows. 

> Policies > Manage Lists > Schedule > Window Name 

The Window Name field defines an alphanumeric string (up to 20 characters) used as the identifying name 
of the time schedule record. 
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> Policies > Manage Lists > Schedule > Option 1, 2, 3 

The Option (1-3) field allows you to define up to three distinct time windows in a week. 

> Policies > Manage Lists > Schedule > Working Days 

The Working Days drop down menus define the start and end days of the time interval for the selected 
option. 

> Policies > Manage Lists > Schedule > Open Hrs and Mins 

The Open Hrs & Mins drop down menus define the beginning of the time interval in hours and minutes on 
each week day configured in the Working Days field. 

> Policies > Manage Lists > Schedule > Close Hrs and Mins 

The Close Hrs & Mins drop down menus define the end of the time interval in hours and minutes on each 
week day configured in the Working Days field. 

> Policies > Manage Lists > NAT 

The NAT table is displayed by clicking on the NAT hyperlink shown as a Manage Lists submenu in the 
option list on the left side of the display window. 

To add a new NAT filter scheme to the NAT table, click the Add button found in the NAT Configuration 
dialog box. The NAT Configuration page is displayed. A discussion of the fields on the NAT Configuration 
page follows. 

> Policies > Manage Lists > NAT > NAT Name 

The NAT Name field defines an alphanumeric string (up to 20 characters) assigned to this NAT content 
filtering scheme. 

> Policies > Manage Lists > NAT > Many to One Mapping - From LAN Policy 

Many to One Mapping configures the NetVanta 2000 series to use the defined NAT parameters on all 
traffic associated with the particular From LAN policy that references the NAT record. To NAT all policy 
specific traffic to a specific public IP address, enter the IP address in the NAT IP Address field. To NAT 
all policy traffic to the IP address associated with a particular interface, select the interface name from the 
Dynamic Interface drop down menu. Enabling NAT on the From LAN policy and selecting the NAT name 
from the drop down menu will activate the NAT configuration. 

> Policies > Manage Lists > NAT > Many to One Mapping - To LAN Policy 

Many to One Mapping configures the NetVanta 2000 series to use the defined NAT parameters on all 
traffic associated with the particular To LAN policy that references the NAT record. To Reverse NAT all 
policy specific traffic to a specific private IP address, enter the IP address in the NAT IP Address field. 
Enabling NAT on the To LAN policy and selecting the NAT name from the drop down menu will activate 
the NAT configuration. 
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> Policies > Manage Lists > NAT > One to One Mapping - From LAN Policy 

One to One Mapping configures the NetVanta 2000 series to perform NAT on traffic (associated with a 
particular policy) that originates from a specified range of IP addresses. One to One NAT requires a 
specified range of public IP addresses to use while performing NAT. Enter the range of private IP 
addresses to NAT in the Source Range fields. Enter the range of public IP addresses to be used while 
performing NAT in the Destination Range fields. 



The number of IP address in the specified Source and Destination Range fields must match 
for One to One Mapping. 



Enabling NAT on the LAN Outbound policy and selecting the NAT name from the drop down menu will 
activate the NAT configuration. 

> Policies > Manage Lists > NAT > One to One Mapping - To LAN Policy 

One to One Mapping configures the NetVanta 2000 series to perform NAT on traffic (associated with a 
particular policy) that originates from a specified range of IP addresses. One to One NAT requires a 
specified rate of public IP addresses to use while performing NAT. Enter the range of public IP addresses 
to NAT in the Source Range fields. Enter the range of private IP addresses to be used while performing 
NAT in the Destination Range fields. 



The number of IP address in the specified Source and Destination Range fields must match 
for One to One Mapping. 



Enabling NAT on the To LAN policy and selecting the NAT name from the drop down menu will activate 
the NAT configuration. 

> Policies > Access Policies: To LAN 

The To LAN Policy Configuration page is displayed by clicking Access Policies: To LAN in the menu list on 
the left side of the display window. To LAN Inbound policies apply to all data received by the NetVanta 2000 
series that is to be transmitted out the Corporate Network Interface (LAN). 

The To LAN Policy Configuration page displays a list of all current policies and provides an easy way to 
organize them using the Rule ID field. 

Before creating a new To LAN inbound policy decide the appropriate priority for the policy. All policies 
are displayed in descending order according to priority. Using the Add drop down menu containing 
BEFORE, AFTER, BEGINNING, and END options, configure the placement of the policy and click the 
Add button. The Internet Access Policy Configuration page is displayed. A discussion of the fields found 
on the Internet Access Policy Configuration page follows. 
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> Policies > Access Policies: To LAN > Configuration > Rule ID 

The Rule ID number is a system-wide unique policy ID generated by the NetVanta 2000 series when a new 
access policy is created. 

> Policies > Access Policies: To LAN > Configuration > Policy Class 

The Policy Class field is populated automatically by the NetVanta 2000 series using the current policy 
class (VPN, Corporate Inbound, Corporate Outbound). 

> Policies > Access Policies: To LAN > Configuration > Source IP 

The Source IP displays the source addresses of incoming traffic used for the policy. All IP records 
previously defined in the IP table will appear in this drop down menu. Select the predefined IP record, or 
choose Other and define the source IP using the IP and Mask Bits text boxes below the drop down menu. 
Any option in this menu represents all valid IP addresses in the Internet address space. 

> Policies > Access Policies: To LAN > Configuration > Destination IP 

The Destination IP displays the destination IP addresses of incoming traffic used for the policy. All IP 
records previously defined in the IP table will appear in this drop down menu. Select the predefined IP 
record, or choose Other and define the destination IP using the IP and Mask Bits text boxes below the 
drop down menu. Any option in this menu represents all valid IP addresses in the Internet address space. 

> Policies > Access Policies: To LAN > Configuration > Destination Port 

The Destination Port drop down menu lists all definitions made in the services table. Choose one of the 
predefined destination port entries, or choose Other and define the destination port or port range using the 
text boxes below the drop down menu. To define a single port, enter the desired port value in the port range 
start text box and leave the port range text box empty. Any option in this menu represents the complete port 
range from 1 to 65535. 

> Policies > Access Policies: To LAN > Configuration > Protocol Type 

The Protocol Type drop down menu selects the transport protocol for this access policy. If the desired 
transport protocol is not listed in the menu, choose Other and enter the desired IP based transport protocol 
number in the text box below the drop down menu. 

> Policies > Access Policies: To LAN > Configuration > Action Type 

The Action Type menu defines the policy as a Permit or Deny policy. Permit policies allow traffic matched 
by the policy selectors to pass through and Deny policies blocks that traffic. 

> Policies > Access Policies: To LAN > Configuration > Time Schedule Used 

The Time Schedule Used menu attaches a predefined time schedule to the Permit type access policy. This 
activates the policy only in the time windows defined in the selected time schedule. 

> Policies > Access Policies: To LAN > Configuration > Enable Log 

The Enable Log radio button selectively enables or disables event logging for the access policy. 
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> Policies > Access Policies: To LAN > Configuration > Enable NAT 

The Enable NAT radio button provides control to enable or disable NAT for the policy. 

> Policies > Access Policies: To LAN > Configuration > NAT Name 

The NAT Name drop down menu lists all entries from the NAT table. To manually define the NAT out pool 
address here, select Other and enter the out pool IP address in the text boxes below the drop down menu. 
Enabling NAT on a To LAN inbound policy applies a Reverse NAT filtering scheme to incoming traffic 
received on this policy by the NetVanta 2000 series. 

> Policies > Access Policies: To LAN > Configuration > Security 

Since access policy and VPN policy selectors are created separately and act independently, the Security 
radio button configures the NetVanta 2000 series to check for the existence of a VPN policy for all the 
network traffic governed by this access policy. If any traffic that would pass this access policy would be 
sent in the clear, that is, not over an already defined VPN policy, an error will be generated to notify the 
user. 



Not selecting the Security option may allow insecure data transmission through the 
NetVanta 2000 series. 




If insecure data transmission is allowed because a VPN policy is removed after the 
Security option has been performed on an access policy, no user notification will be 
given. To ensure data security, verify each access policy after VPN changes are made. 



Changing the Priority of a Policy 

You can change the access policy priority by two ways: You can do simple priority corrections by using the 
up (-) and down ( ) buttons, which are located at the end columns of each policy in the access policy table. 
Clicking the up or down button increases or decreases the priority of the access policy with respect to its 
neighboring policies. 

Alternative way can be used for major priority corrections. Select the policy whose priority you want to 
change by entering its Rule ID in the text box located after Place Rule tab. This is located at the end of 
the policy table. 

Then use the Before/After radio button in combination with Rule ID text box following this radio button 
to decide the new place in the table for this policy, and click the Insert button. 

The policy will be moved to the new place in the table. 
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Checking Policy Statistics 

Select the policy whose statistics you want to check from the access policy table and click the Log button. 
This will display the policy statistics page. 

> Policies > Access Policies: From LAN 

The From LAN Policy Configuration page is displayed by clicking Access Policies: From LAN in the 
menu list on the left side of the display window. From LAN outbound policies apply to all data received by 
the NetVanta 2000 series on the Corporate Network Interface (LAN). 

The From LAN Policy Configuration page displays a list of all current policies and provides an easy way 
to organize them using the Rule ID field. 

Before creating a new From LAN outbound policy decide the appropriate priority for the policy. All 
policies are displayed in descending order according to priority. Using the Add drop down menu 
containing BEFORE, AFTER, BEGINNING, and END options, configure the placement of the policy and 
click the Add button. The Internet Access Policy Configuration page is displayed. A discussion of the 
fields found on the Internet Access Policy Configuration page follows the figure. 

> Policies > Access Policies: From LAN > Configuration > Rule ID 

The Rule ID number is a system-wide unique policy ID generated by the NetVanta 2000 series when a new 
access policy is created. 

> Policies > Access Policies: From LAN > Configuration > Policy Class 

The Policy Class field is populated automatically by the NetVanta 2000 series using the current policy 
class (VPN, Corporate Inbound, Corporate Outbound). 

> Policies > Access Policies: From LAN > Configuration > Source/Destination 

The Source IP/Destination IP displays the source and destination IP addresses used for the policy. All IP 
records previously defined in the IP table will appear in this drop down menu. Select the predefined IP 
record, or choose Other and define the source/destination IP using the IP and Mask Bits text boxes below 
the drop down menu. Any option in this menu represents all valid IP addresses in the Internet address 
space. 

> Policies > Access Policies: From LAN > Configuration > Destination Port 

The Destination Port drop down menu lists all definitions made in the services table. Choose one of the 
predefined destination port entries, or choose Other and define the destination port or port range using the 
text boxes below the drop down menu. To define a single port, enter the desired port value in the port range 
start text box and leave the port range text box empty. Any option in this menu represents the complete port 
range from 1 to 65535. 
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> Policies > Access Policies: From LAN > Configuration > Protocol Type 

The Protocol Type drop down menu selects the transport protocol for this access policy. If the desired 
transport protocol is not listed in the menu, choose Other and enter the desired IP based transport protocol 
number in the text box below the drop down menu. 

> Policies > Access Policies: From LAN > Configuration > Action Type 

The Action Type menu defines the policy as a Permit or Deny policy. Permit policies allow traffic matched 
by the policy selectors to pass through and Deny policies blocks that traffic. 

> Policies > Access Policies: From LAN > Configuration > Time Schedule Used 

The Time Schedule Used menu attaches a predefined time schedule to the Permit type access policy. This 
activates the policy only in the time windows defined in the selected time schedule. 

> Policies > Access Policies: From LAN > Configuration > Enable Log 

The Enable Log radio button selectively enables or disables event logging for the access policy. 

> Policies > Access Policies: From LAN > Configuration > Enable NAT 

The Enable NAT radio button provides control to enable or disable NAT for the policy. 

> Policies > Access Policies: From LAN > Configuration > NAT Name 

The NAT Name drop down menu lists all entries from the NAT table. To manually define the NAT out pool 
address here, select Other and enter the out pool IP address in the text boxes below the drop down menu. 

> Policies > Access Policies: From LAN > Configuration > Security 

Since access policy and VPN policy selectors are created separately and act independently, the Security 
radio button configures the NetVanta 2000 series to check for the existence of a VPN policy for all the 
network traffic governed by this access policy. If any traffic that would pass this access policy would be 
sent in the clear, that is, not over an already defined VPN policy, an error will be generated to notify the 
user. 



Not selecting the Security option may allow insecure data transmission through the 




NetVanta 2000 series. 




If insecure data transmission is allowed because a VPN policy is removed after the 
Security option has been performed on an access policy, no user notification will be 
given. To ensure data security, verify each access policy after VPN changes are made. 
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Changing the Priority of a Policy 

You can change the access policy priority by two ways: You can do simple priority corrections by using the 
up (-) and down ( ) buttons, which are located at the end columns of each policy in the access policy table. 
Clicking the up or down button increases or decreases the priority of the access policy with respect to its 
neighboring policies. 

Alternative way can be used for major priority corrections. Select the policy whose priority you want to 
change by entering its Rule ID in the text box located after Place Rule tab. This is located at the end of 
the policy table. 

Then use the Before/After radio button in combination with Rule ID text box following this radio button 
to decide the new place in the table for this policy, and click the Insert button. 

The policy will be moved to the new place in the table. 

Default Access Policies 

By default, the NetVanta 2000 series has eight corporate outbound policies configured for accessing 
popular Internet services from corporate network. With these default access policies any host in the 
corporate network can access the specified services on any host in the Internet. You can modify these 
policies to suite your network access policy. 



> Policies > Access Policies: To DMZ 

The To DMZ Policy Configuration page is displayed by clicking Access Policies: To DMZ in the menu list on 
the left side of the display window. To DMZ Inbound policies apply to all data received by the NetVanta 2000 
series that is to be transmitted out the DMZ Interface. 

The To DMZ Policy Configuration page displays a list of all current policies and provides an easy way to 
organize them using the Rule ID field. 

Before creating a new To DMZ inbound policy decide the appropriate priority for the policy. All policies 
are displayed in descending order according to priority. Using the Add drop down menu containing 
BEFORE, AFTER, BEGINNING, and END options, configure the placement of the policy and click the 
Add button. The Internet Access Policy Configuration page is displayed. A discussion of the fields found 
on the Internet Access Policy Configuration page follows. 

> Policies > Access Policies: To DMZ > Configuration > Rule ID 

The Rule ID number is a system-wide unique policy ID generated by the NetVanta 2000 series when a new 
access policy is created. 




Default access policies have NAT enabled. 



61200361L1-1E 



©2002 ADTRAN, Inc. 



59 



Section 4, User Interface Guide 



NetVanta 2000 Series System Manual 



> Policies > Access Policies: To DMZ > Configuration > Policy Class 

The Policy Class field is populated automatically by the NetVanta 2000 series using the current policy 
class (VPN, Corporate Inbound, Corporate Outbound). 

> Policies > Access Policies: To DMZ > Configuration > Source IP 

The Source IP displays the source addresses of incoming traffic used for the policy. All IP records 
previously defined in the IP table will appear in this drop down menu. Select the predefined IP record, or 
choose Other and define the source IP using the IP and Mask Bits text boxes below the drop down menu. 
Any option in this menu represents all valid IP addresses in the Internet address space. 

> Policies > Access Policies: To DMZ > Configuration > Destination IP 

The Destination IP displays the destination IP addresses of incoming traffic used for the policy. All IP 
records previously defined in the IP table will appear in this drop down menu. Select the predefined IP 
record, or choose Other and define the destination IP using the IP and Mask Bits text boxes below the 
drop down menu. Any option in this menu represents all valid IP addresses in the Internet address space. 

> Policies > Access Policies: To DMZ > Configuration > Destination Port 

The Destination Port drop down menu lists all definitions made in the services table. Choose one of the 
predefined destination port entries, or choose Other and define the destination port or port range using the 
text boxes below the drop down menu. To define a single port, enter the desired port value in the port range 
start text box and leave the port range text box empty. Any option in this menu represents the complete port 
range from 1 to 65535. 

> Policies > Access Policies: To DMZ > Configuration > Protocol Type 

The Protocol Type drop down menu selects the transport protocol for this access policy. If the desired 
transport protocol is not listed in the menu, choose Other and enter the desired IP based transport protocol 
number in the text box below the drop down menu. 

> Policies > Access Policies: To DMZ > Configuration > Action Type 

The Action Type menu defines the policy as a Permit or Deny policy. Permit policies allow traffic matched 
by the policy selectors to pass through and Deny policies blocks that traffic. 

> Policies > Access Policies: To DMZ > Configuration > Time Schedule Used 

The Time Schedule Used menu attaches a predefined time schedule to the Permit type access policy. This 
activates the policy only in the time windows defined in the selected time schedule. 

> Policies > Access Policies: To DMZN > Configuration > Enable Log 

The Enable Log radio button selectively enables or disables event logging for the access policy. 

> Policies > Access Policies: To DMZ > Configuration > Enable NAT 

The Enable NAT radio button provides control to enable or disable NAT for the policy. 
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> Policies > Access Policies: To DMZ > Configuration > NAT Name 

The NAT Name drop down menu lists all entries from the NAT table. To manually define the NAT out pool 
address here, select Other and enter the out pool IP address in the text boxes below the drop down menu. 
Enabling NAT on a To DMZ inbound policy applies a Reverse NAT filtering scheme to incoming traffic 
received on this policy by the NetVanta 2000 series. 

> Policies > Access Policies: To DMZ > Configuration > Security 

Since access policy and VPN policy selectors are created separately and act independently, the Security 
radio button configures the NetVanta 2000 series to check for the existence of a VPN policy for all the 
network traffic governed by this access policy. If any traffic that would pass this access policy would be 
sent in the clear, that is, not over an already defined VPN policy, an error will be generated to notify the 
user. 



Not selecting the Security option may allow insecure data transmission through the 
NetVanta 2000 series. 




If insecure data transmission is allowed because a VPN policy is removed after the 
Security option has been performed on an access policy, no user notification will be 
given. To ensure data security, verify each access policy after VPN changes are made. 



Changing the Priority of a Policy 

You can change the access policy priority by two ways: You can do simple priority corrections by using the 
up (-) and down ( ) buttons, which are located at the end columns of each policy in the access policy table. 
Clicking the up or down button increases or decreases the priority of the access policy with respect to its 
neighboring policies. 

Alternative way can be used for major priority corrections. Select the policy whose priority you want to 
change by entering its Rule ID in the text box located after Place Rule tab. This is located at the end of 
the policy table. 

Then use the Before/After radio button in combination with Rule ID text box following this radio button 
to decide the new place in the table for this policy, and click the Insert button. 

The policy will be moved to the new place in the table. 

Checking Policy Statistics 

Select the policy whose statistics you want to check from the access policy table and click the Log button. 
This will display the policy statistics page. 
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> Policies > Access Policies: From DMZ 

The From DMZ Policy Configuration page is displayed by clicking Access Policies: From DMZ in the 
menu list on the left side of the display window. From DMZ outbound policies apply to all data received by 
the NetVanta 2000 series on the DMZ interface. 

The From LAN Policy Configuration page displays a list of all current policies and provides an easy way 
to organize them using the Rule ID field. 

Before creating a new From DMZ outbound policy decide the appropriate priority for the policy. All 
policies are displayed in descending order according to priority. Using the Add drop down menu 
containing BEFORE, AFTER, BEGINNING, and END options, configure the placement of the policy and 
click the Add button. The Internet Access Policy Configuration page is displayed. A discussion of the 
fields found on the Internet Access Policy Configuration page follows the figure. 

> Policies > Access Policies: From DMZ > Configuration > Rule ID 

The Rule ID number is a system-wide unique policy ID generated by the NetVanta 2000 series when a new 
access policy is created. 

> Policies > Access Policies: From DMZ > Configuration > Policy Class 

The Policy Class field is populated automatically by the NetVanta 2000 series using the current policy 
class (VPN, To/From LAN, To/From DMZ). 

> Policies > Access Policies: From DMZ > Configuration > Source/Destination 

The Source IP/Destination IP displays the source and destination IP addresses used for the policy. All IP 
records previously defined in the IP table will appear in this drop down menu. Select the predefined IP 
record, or choose Other and define the source/destination IP using the IP and Mask Bits text boxes below 
the drop down menu. Any option in this menu represents all valid IP addresses in the Internet address 
space. 

> Policies > Access Policies: From DMZ > Configuration > Destination Port 

The Destination Port drop down menu lists all definitions made in the services table. Choose one of the 
predefined destination port entries, or choose Other and define the destination port or port range using the 
text boxes below the drop down menu. To define a single port, enter the desired port value in the port range 
start text box and leave the port range text box empty. Any option in this menu represents the complete port 
range from 1 to 65535. 

> Policies > Access Policies: From DMZ > Configuration > Protocol Type 

The Protocol Type drop down menu selects the transport protocol for this access policy. If the desired 
transport protocol is not listed in the menu, choose Other and enter the desired IP based transport protocol 
number in the text box below the drop down menu. 
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> Policies > Access Policies: From DMZ > Configuration > Action Type 

The Action Type menu defines the policy as a Permit or Deny policy. Permit policies allow traffic matched 
by the policy selectors to pass through and Deny policies blocks that traffic. 

> Policies > Access Policies: From DMZ > Configuration > Time Schedule Used 

The Time Schedule Used menu attaches a predefined time schedule to the Permit type access policy. This 
activates the policy only in the time windows defined in the selected time schedule. 

> Policies > Access Policies: From DMZ > Configuration > Enable Log 

The Enable Log radio button selectively enables or disables event logging for the access policy. 

> Policies > Access Policies: From DMZ > Configuration > Enable NAT 

The Enable NAT radio button provides control to enable or disable NAT for the policy. 

> Policies > Access Policies: From DMZ > Configuration > NAT Name 

The NAT Name drop down menu lists all entries from the NAT table. To manually define the NAT out pool 
address here, select Other and enter the out pool IP address in the text boxes below the drop down menu. 

> Policies > Access Policies: From DMZ > Configuration > Security 

Since access policy and VPN policy selectors are created separately and act independently, the Security 
radio button configures the NetVanta 2000 series to check for the existence of a VPN policy for all the 
network traffic governed by this access policy. If any traffic that would pass this access policy would be 
sent in the clear, that is, not over an already defined VPN policy, an error will be generated to notify the 
user. 



Not selecting the Security option may allow insecure data transmission through the 
NetVanta 2000 series. 




If insecure data transmission is allowed because a VPN policy is removed after the 
Security option has been performed on an access policy, no user notification will be 
given. To ensure data security, verify each access policy after VPN changes are made. 
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Changing the Priority of a Policy 

You can change the access policy priority by two ways: You can do simple priority corrections by using the 
up (-) and down ( ) buttons, which are located at the end columns of each policy in the access policy table. 
Clicking the up or down button increases or decreases the priority of the access policy with respect to its 
neighboring policies. 

Alternative way can be used for major priority corrections. Select the policy whose priority you want to 
change by entering its Rule ID in the text box located after Place Rule tab. This is located at the end of 
the policy table. 

Then use the Before/After radio button in combination with Rule ID text box following this radio button 
to decide the new place in the table for this policy, and click the Insert button. 

The policy will be moved to the new place in the table. 

Default Access Policies 

By default, the NetVanta 2000 series has eight corporate outbound policies configured for accessing 
popular Internet services from corporate network. With these default access policies any host in the 
corporate network can access the specified services on any host in the Internet. You can modify these 
policies to suite your network access policy. 



> Policies > VPN 

When adding a VPN policy, decide its priority. By default, new VPN policies will be added with the least 
priority (i.e., at the end of the VPN policy table). 

For setting the priority of a new VPN policy, select the AFTER or BEFORE option from the drop down 
Add menu. Enter the existing VPN policy name to use as the placing guide for the newly added VPN 
policy. 

VPN policies may be added using either manual or automatic key management. 

Deleting A VPN Policy 

Select he VPN policy you want to delete from the VPN policy table and click the Delete button. This will 
bring up the VPN policy delete confirmation dialog. 




Default access policies have NAT enabled. 
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If you answer affirmative to this dialog by clicking Yes, the VPN policy will be removed. 




If there are secure communications active using this VPN policy, they may get disrupted. 



Editing A VPN Policy 

Select the VPN policy you want to edit from the VPN policy table and click Modify button. This brings the 
selected VPN policy in the edit mode. 

Here you can make the desired changes to the VPN policy. 




If there are secure communications active using this VPN policy, they may get disrupted 
due to the changes in the VPN policy parameters. 



Viewing A VPN Policy 

Select the VPN policy you want to view from the VPN policy table. Click on the Show button. This shows 
the selected VPN policy in non-editable form. 

This VPN policy view does not show any keying information. 

Changing Priority of A VPN Policy 

Similar to access policies you can change the priority of VPN policy by two ways: You can do simply 
priority corrections by using the up (-) and down ( ) buttons, which are located at the end columns of each 
policy in the VPN policy table. Clicking the up or down button increases or decreases the priority of the 
access policy with respect to its neighboring policies. 

Alternative way can be used for major priority corrections. Select the policy whose priority you want to 
change by entering its policy name in the text box located after Place tab. This is located at the end of the 
policy table. 

Then use the drop down menu with BEFORE/AFTER options and the next VPN policy-name text box to 
define the new place for this VPN policy in the table. Click the OK button. 

The VPN policy will be moved to the new place in the table. 




If the access policies are wider than IPsec policies the traffic which doesn't falls in the 
range will be passed through as plain packets. 



To configure security policy you have to select the choice Yes in the Access Policies. 
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> Policies > VPN > Tunnels (IPSec Tunnels) > Manual Key Management 

To use manual key management click Manual button. This will bring up the VPN policy configuration 
screen. 

Policy Name - is a symbolic name of the VPN policy. Each policy should have an unique policy name. 

Source Address - Drop down menu allows you to configure the source IP address of the outbound 
network traffic for which this VPN policy will provide security. Mostly, this address will be from your 
corporate network address space. All entries in the IP Address Table appear in this drop down menu. You 
can choose one of these, or select Other option from this menu and define the source IP address/subnet in 
the immediately following text boxes. Any option in this menu represents all valid IP addresses in the 
Internet address space. 

Destination Address - Drop down menu allows you to configure the destination IP address of the 
outbound network traffic for which this VPN policy will provide security. Mostly, this address will be from 
remote site's corporate network address space. All entries in the IP Address Table appear in this drop down 
menu. You can choose one of these, or select Other option from this menu and define the destination IP 
address/subnet in the immediately following text boxes. Any option in this menu represents all valid IP 
addresses in the Internet address space. 

Source Port - Drop down menu allows you select the source port value for this VPN policy selector. All 
entries in the Services table appear in this menu. You can choose one from these, or select Other option 
and define the Source Port in the immediately following text box. Any option in this menu indicates the 
complete port range i.e. 1 to 65535. 

Destination Port - Drop down menu allows you select the destination port value for this VPN policy 
selector. All entries in the Services table appear in this menu. You can choose one from these, or select 
OTHER option and define the Destination Port in the immediately following text box. Any option in this 
menu indicates the complete port range i.e. 1 to 65535. 

Protocol - Drop down menu allows you to choose the transport protocol for this VPN policy selector. 
ALL option in this menu represents all transport protocols riding on IP. 

Peer Security Gateway - is the IP address of the remote end of the VPN tunnel, i.e. WAN IP address of 
the remote Security Gateway. 

Local Security Gateway - is the IP address of the local end of the VPN tunnel, i.e. WAN interface IP 
address of your ADVANTA 2100. 

AH Configuration 

Authentication - this menu allows you to enable or disable AH transform for this VPN policy. 

Auth algorithm - If you choose to enable AH, then this menu allows you to select authentication 
algorithm. You can choose MD5 or SHA1; default is MD5. 

IN Key - is HMAC key used for computing ICV (Integrity Check Value) on the inbound traffic with the 
selected authentication algorithm. Length of this key for MD5 must be 16 bytes, and for SHA1 it must be 
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20 bytes. Enter 16 or 20 characters (depending on authentication algorithm) and the NetVanta 2000 series 
will use the ASCII of each character to create the hex bytes needed for the algorithm. This key value should 
match to the corresponding outbound key value on the remote end SG. 

IN SPI - is SPI value for identifying the inbound SA created by this AH transform. This should match with 
the corresponding outbound SPI value configured on the remote end SG. For AH, values entered for the 
SPI are interpreted and used as hex by the NetVanta 2000 series. 

OUT Key - is HMAC key used for computing ICV on the outbound traffic with the selected authentication 
algorithm. Length of this key for MD5 must be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20 
characters (depending on authentication algorithm) and the NetVanta 2000 series will use the ASCII of 
each character to create the hex bytes needed for the algorithm. This key value should match to the 
corresponding inbound key value on the remote end SG. 

OUT SPI - is SPI value for identifying the outbound SA created by this AH transform. This should match 
with the corresponding inbound SPI value configured on the remote end SG. For AH, values entered for 
the SPI are interpreted and used as hex by the NetVanta 2000 series. 

ESP Configuration 

Encryption - drop down menu allows you to enable or disable ESP transform for this VPN policy. You 
can select the ESP mode also with this menu. The NetVanta 2000 series supports plain ESP and ESP with 
Authentication. 

ESP Algorithm - allows you to choose the encryption algorithm for this VPN policy. Two options are 
available - one is DES other is 3DES; DES is the default value. 

Auth Algorithm - allows you to configure authentication algorithm if you enable ESP with 
Authentication mode. You can choose one from MD5 or SHA1. MD5 is the default value. 

IN SPI - is SPI value for identifying the inbound SA created by this ESP transform. For ESP, values entered 
for the SPI are interpreted and used as decimal data. This should match with the corresponding outbound 
SPI value configured on the remote end SG. 

IN Auth Key - is HMAC key used for computing ICV on the inbound traffic with the selected 
authentication algorithm if ESP with Authentication mode is configured. Length of this key for MD5 must 
be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20 characters (depending on authentication 
algorithm) and the NetVanta 2000 series will use the ASCII of each character to create the hex bytes 
needed for the algorithm. This key value should match to the corresponding outbound key value on the 
remote end SG. 

OUT SPI - is SPI value for identifying the outbound SA created by this ESP transform. For ESP, values 
entered for the SPI are interpreted and used as decimal data This should match with the corresponding 
inbound SPI value configured on the remote end SG. 

OUT Auth Key - is HMAC key used for computing ICV on the outbound traffic with the selected 
authentication algorithm if ESP with Authentication mode is configured. Length of this key for MD5 must 
be 16 bytes, and for SHA1 it must be 20 bytes. Enter 16 or 20 characters (depending on authentication 
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algorithm) and the NetVanta 2000 series will use the ASCII of each character to create the hex bytes 
needed for the algorithm. This key value should match to the corresponding inbound key value on the 
remote end SG. 

IN ESP Key - is encryption key used for deciphering the datagrams coming in from the remote end SG. 
Length of this key for DES must be 8 bytes, and for 3DES must be 24 bytes. For utilizing the 3DES 
advantage, each 8-byte set in this keying material should be different. This key value should match to the 
outbound ciphering key on the remote end SG. 

OUT ESP Key - is encryption key used for ciphering the datagrams going out to the remote end SG 
through the Internet. Length of this key for DES must be 8 bytes, and for 3DES must be 24 bytes. For 
utilizing the 3DES advantage, each 8-byte set in this keying material should be different. This key value 
should match to the inbound deciphering key on the remote end SG. 



If the access policies are wider than the IPSec policies, the traffic which doesn 't fall in the 
range of the IPSec policy will be passed through as plain packets. 



> Policies > VPN > Tunnels (IPSec Tunnels) > Automatic Key Management 

To use the automatic key management click Auto button. This will bring up the Auto VPN Policy 
Configuration screen. 

Policy Name - is a symbolic name of the VPN policy. Each policy should have an unique policy name. 

Source Address - Drop down menu allows you to configure the source IP address of the outbound 
network traffic for which this VPN policy will provide security. Mostly, this address will be from your 
corporate network address space. All entries in the IP Address Table appear in this drop down menu. You 
can choose one of these, or select OTHER option from this menu and define the source IP address/subnet 
in the immediately following text boxes. ANY option in this menu represents all valid IP addresses in the 
Internet address space. 

Destination Address - Drop down menu allows you to configure the destination IP address of the 
outbound network traffic for which this VPN policy will provide security. Mostly, this address will be from 
remote site's corporate network address space. All entries in the IP Address Table appear in this drop down 
menu. You can choose one of these, or select OTHER option from this menu and define the destination IP 
address/subnet in the immediately following text boxes. ANY option in this menu represents all valid IP 
addresses in the Internet address space. 

Source Port - Drop down menu allows you select the source port value for this VPN policy selector. All 
entries in the Services table appear in this menu. You can choose one from these, or select OTHER option 
and define the Source Port in the immediately following text box. ANY option in this menu indicates the 
complete port range i.e. 1 to 65535. 

Destination Port - Drop down menu allows you select the destination port value for this VPN policy 
selector. All entries in the Services table appear in this menu. You can choose one from these, or select 
OTHER option and define the Destination Port in the immediately following text box. ANY option in this 
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menu indicates the complete port range i.e. 1 to 65535. 

Protocol - Drop down menu allows you to choose the transport protocol for this VPN policy selector. 
ALL option in this menu represents all transport protocols riding on IP. 

Peer Security Gateway - is the IP address of the remote end of the VPN tunnel, i.e. WAN IP address of 
the remote Security Gateway. 

Local Security Gateway - is the IP address of the local end of the VPN tunnel, i.e. WAN interface IP 
address of your ADVANTA 2100. 

AH Configuration 

Authentication - this menu allows you to enable or disable AH transform for this VPN policy. 

Auth algorithm - If you choose to enable AH, then this menu allows you to select authentication 
algorithm. You can choose MD5 or SHA1; default is MD5. 

ESP Configuration 

Encryption - drop down menu allows you to enable or disable ESP transform for this VPN policy. You 
can select the ESP mode also with this menu. Two ESP modes are available, one is plain ESP and other is 
ESP with Authentication. 

ESP Algorithm - allows you to choose the encryption algorithm for this VPN policy. Two options are 
available - one is DES other is 3DES; DES is the default value. 

Auth Algorithm - allows you to configure authentication algorithm if you enable ESP with 
Authentication mode. You can choose one from MD5 or SHA1. MD5 is the default value. 

> Policies > VPN > IKE Policies 

To add an IKE policy, click the Add button to display the IKE Policy Configuration page. A description of 
the IKE configuration parameters follows. 

Policy Name - is a symbolic name of the VPN policy. Each policy should have an unique policy name. 

Direction — You may specify any of the available options in the drop down menu. It includes Both 
directions, Initiator only, Responder only. Choosing Both directions will allow the box to act both as 
initiator and responder. 



Exchange Type - You may select any one of the options available in the drop down menu. It includes Main 
Mode and Aggressive Mode. 




Currently only Both Directions is supported 
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Local ID Type — Select any one of the options available in the drop down menu. It includes IP Address 
(IP v.4 address), FQDN (fully qualified domain name), User FQDN (fully qualified username string) and 
DER ANSI DN (X.500 distinguished name). 

Local ID Data -- Based on the Local ID Type selected, enter the appropriate Local ID data. If IP Address 

is selected, enter an IP v.4 address in the Local ID Data field. If FQDN is selected, enter a fully qualified 
domain name (i.e. netvantal.adtran.com) in the Local ID Data field. If User FQDN is selected, enter a 
fully qualified username string (i.e. networkmaster@adtran.com) in the Local ID Data field. If DER 
ANSI DN is selected, enter the X.500 Distinguished name (X.501) of the principal whose certificates are 
being exchanged to establish the SA in the Local ID Data field. 

Remote ID Type — Select any one of the options available in the drop down menu. It includes IP Address 
(IP v.4 address), FQDN (fully qualified domain name), User FQDN (fully qualified username string) and 
DER ANSI DN (X.500 distinguished name). 

Remote ID Data - Based on the Remote ID Type selected, enter the appropriate Local ID data. If IP 
Address is selected, enter an IP v.4 address in the Remote ID Data field. If FQDN is selected, enter a fully 
qualified domain name (i.e. advanta.adtran.com) in the Remote ID Data field. If User FQDN is selected, 
enter a fully qualified username string (i.e. networkmaster@adtran.com) in the Remote ID Data field. If 
DER ANSI DN is selected, enter the X.500 Distinguished name (X.501) of the principal whose certificates 
are being exchanged to establish the SA in the Remote ID Data field. You can specify up to 10 Remote ID 
Types and Remote ID Data. 

Local IP Address - You MUST specify the Local IP address of the system. 
Remote IP Address - You must specify the Remote IP address. 

Encryption Algorithm - You may select one of the algorithms specified in the drop down menu. It 
includes DES and 3DES. 

Authentication Algorithm - You may select one of the algorithms specified in the drop down menu. It 
includes MD5 and SHA1. 

Authentication Mode - You may select any one of the authentication modes specified in the drop down 
menu. This includes Pre-Shared Key, DSS_SIGN, RSASIGN, RSAENC, RS A RE V ENC . 

Key- If you select Pre-Shared key as your authentication mechanism, you must specify the key. This 
depends on the Authentication algorithm which you have selected. If you have selected the MD5 algorithm 
then the key length should be 16 bytes. If it is SHA1, the key length should be 20 bytes. 

Life time -Lifetime in seconds of the IKE SA. 

DH Group - There are two groups to choose from in the drop down menu. You may have to choose one of 
them. 

Submit with these changes and this will be stored in the memory. 
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Source Address - Drop down menu allows you to configure the source IP address of the outbound 
network traffic for which this VPN policy will provide security. Mostly, this address will be from your 
corporate network address space. All entries in the IP Address Table appear in this drop down menu. You 
can choose one of these, or select Other option from this menu and define the source IP address/subnet in 
the immediately following text boxes. Any option in this menu represents all valid IP addresses in the 
Internet address space. 

Destination Address - Drop down menu allows you to configure the destination IP address of the 
outbound network traffic for which this VPN policy will provide security. Mostly, this address will be from 
remote site's corporate network address space. All entries in the IP Address Table appear in this drop down 
menu. You can choose one of these, or select Other option from this menu and define the destination IP 
address/subnet in the immediately following text boxes. Any option in this menu represents all valid IP 
addresses in the Internet address space. 

Source Port - Drop down menu allows you select the source port value for this VPN policy selector. All 
entries in the Services table appear in this menu. You can choose one from these, or select Other option 
and define the Source Port in the immediately following text box. Any option in this menu indicates the 
complete port range i.e. 1 to 65535. 

Destination Port - Drop down menu allows you select the destination port value for this VPN policy 
selector. All entries in the Services table appear in this menu. You can choose one from these, or select 
Other option and define the Destination Port in the immediately following text box. Any option in this 
menu indicates the complete port range (i.e., 1 to 65535). 

> Policies > VPN > Certificates 

The NetVanta 2000 series supports the use of both RSA and DSS Signature Algorithm Certificates. The 
NetVanta 2000 series provides the capability to generate self-certificate requests, and maintains a listing of 
private keys (certificate requests) that currently have no public key (self-certificate assigned by the 
Certificate Authority). 

Always contact your Certificate Authority (VeriSign, Entrust, etc.) before generating your self-certificate 
request. The parameters configured in your request must match what the Certificate Authority requires for 
you to receive your self-certificate. Once the request is generated, follow your Certificate Authority's 
guidelines for supplying them with your request. Many Certificate Authorities allow e-mail requests, but 
some do not. 

> Policies > VPN > Certificates > Self Certificate 

The NetVanta 2000 series provides the capability to generate self certificate requests in PEM (Privacy 
Enhanced Mail) format for either RSA or DSS signature algorithms. Refer to DLP-017, Generating a 
Self-Certificate Request for more details. 

> Policies > VPN > Certificates > CA Certificate 

The NetVanta 2000 series supports loading Certificate Authority certificates in PEM (Privacy Enhanced 
Mail) format for either RSA or DSS signature algorithms. Refer to DLP-018, Uploading a CA Certificate 
to the NetVanta for more details. 



61200361L1-1E 



©2002 ADTRAN, Inc. 



71 



Section 4, User Interface Guide 



NetVanta 2000 Series System Manual 



> Policies > VPN > Certificates > Private Key Without Public Key 

The NetVanta 2000 series provides the capability to generate self certificate requests in PEM (Privacy 
Enhanced Mail) format for either RSA or DSS signature algorithms. Refer to DLP-017, Generating a 
Self-Certificate Request for more details. The NetVanta 2000 series tracks all self certificate generated 
requests and maintains them in the Private Key Without Public Key until the corresponding self certificate 
is loaded into the unit. 

> Policies > VPN > Certificates > CRL 

The NetVanta 2000 series supports loading Certificate Revocation Lists obtained from Certificate 
Authorities. Upload the CRL by clicking the Browse button to find the Certificate Authority's CRL file, 
then click the Upload button to make it active in the NetVanta 2000 series system. 

> Monitor 

This section discusses the monitoring capabilities of NetVanta 2000 series including access policy and 
association database statistics, user session information, and NetVanta 2000 series access records. The 
NetVanta 2000 series monitor configuration parameters are displayed by clicking on the Monitor menu on 
the Administration Console. 

> Monitor > Policy Statistics 

The Policy Statistics page is displayed by clicking on Policy Statistics found in the menu list. 

> Monitor > Policy Statistics > Access Policy Statistics 

The Access Policy Statistics page displays static and dynamic policy allocation attempts, policy allocation 
failures, and policy request successes and failures. This table shows the policy statistics for the current 
hour, previous hour, and a daily total. 

> Monitor > Policy Statistics > Association Database Statistics 

The Association Database Statistics page displays association memory statistics as well as broadcast, 
connection, security association (SA), and other security and traffic-related statistics. Using the same 
format as the Access Policy Statistics display, it shows the association database statistics for current hour, 
previous hour, and a daily total. 

> Monitor > User Accounting 

The User Accounting page provides remote user session statistics. This includes User Name, Login Time, 
Logout Time, Bytes transferred In and Out, and the user's Source IP address. These fields summarize a 
remote user's session. Effective network administrators will have a sense of normal activity on the network 
making it easier to spot abnormal activity or behavior. The User Accounting page is displayed by clicking 
on User Accounting found in the menu list. 

> Monitor > Access Log 

The Access Log page is displayed by clicking on Access Log found in the menu list. The Log Window 
shows all event log messages that have not been exported by NetVanta 2000 series. 
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The NetVanta 2000 series log queue can be cleared by clicking on the Clear Log button found in the Log 
Window dialog box. 

NwlE Messages in the log queue when it is cleared are permanently lost. 
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DETAIL LEVEL PROCEDURES 



Connecting to the Netvanta 2000 Series DLP-001 

Changing the Admin Password in the NetVanta DLP-002 

Saving the Current Settings of the NetVanta DLP-003 

Setting the Time and Date in the NetVANTA DLP-004 

Configuring the LAN Interface IP Address DLP-005 

Configuring the WAN Interface Using Dynamic or Static IP Addressing DLP-006 

Configuring the WAN Interface For PPPoE Addressing DLP-007 

Upgrading the Firmware of the NetVanta 2000 series DLP-008 

Saving the Current Configuration of the NetVanta DLP-009 

Loading a Saved Configuration into the NetVanta DLP-010 

Adding a Default Route to the NetVanta Route Table DLP-01 1 

Configuring the LAN Interface DHCP Server DLP-01 2 

Defining a User Group in the NetVanta DLP-01 3 

Adding a User to the Users Component Table DLP-01 4 

Using the IP Address Component Table DLP-01 5 

Adding a Service to the Services Component Table DLP-01 6 

Generating a Self-Certificate Request DLP-01 7 

Uploading a CA Certificate to the NetVanta DLP-01 8 

Uploading a Self-Certificate to the NetVanta DLP-01 9 

Reviewing the Various Keys of the NetVanta DLP-020 

Restoring the NetVanta to Factory Defaults DLP-021 

Viewing the DHCP Info Table DLP-022 
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CONNECTING TO THE NETVANTA 2000 SERIES 



Introduction 

The NetVanta 2000 series can be accessed and managed via the LAN interface using an ethernet crossover 
cable (provided). Alternately, the NetVanta 2000 series may be acceslsed using a hub and two ethernet 
cables (one for the PC and one for the NetVanta 2000 series). Using a PC with an installed browser 
(Internet Explorer 5.5 for optimal viewing), the NetVanta 2000 series can be configured using an easy 



Prerequisite Procedures 

The NetVanta 2000 series should be accessible to connect to a PC with an installed browser. 

Tools and Materials Required 

Ethernet crossover cable (provided) 
DHCP-enabled PC with installed browser 



d£i To prevent electrical shock, do not install equipment in a wet location or during a 



GUI. 




This DLP assumes that a PC with DHCP-client software enabled will be used when 
initially connecting to the NetVanta 2000 series. 
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DLP-001 



Perform Steps Below in the Order Listed 



1 . Connect power to the NetVanta 2000 series using the provided wallmount power supply. 

2. Connect the NetVanta 2000 series LAN interface to the PC using the provided ethernet crossover 
cable. 

3. Supply power to the PC and begin the operating system bootup process. During the bootup process, 
the PC will obtain an IP address from the NetVanta 2000 series DHCP server. Alternately, complete 
the process for releasing and renewing captured IP addresses to obtain a new IP address from the 
NetVanta 2000 series DHCP server. Please refer to your specific operating system documentation for 
your PC details on that process. 

4. Open your installed browser and in the URL field enter 10.10.10.1. The NetVanta 2000 series login 
screen will appear. 

J File Edit View Favorites Tools Help 
J Address j#] http://1 0.200.1. 14G7login.htm 

. 3 



Name 
Password 




I I 




I I 










| Login now | Reset | 





~3 |J ^S? 



5. Enter your username and password and click the login button. When connecting to the NetVanta 2000 
series for the first time, the username is admin and there is no set password. 




ADTRAN strongly recommends immediately changing the admin password for security 
purposes. Refer to DLP-002 for details. 
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6. After logging in to the NetVanta 2000 series, the welcome screen will appear. 




Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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CHANGING THE ADMIN PASSWORD IN THE NETVANTA 



Introduction 

This DLP explains how to change the existing admin password in the NetVanta 2000 series access list. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




n To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-002 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Admin. This displays the Change 
Password dialog box. 



J File Edit View Favorites Tools Help t3 


J Address [g] http://1 0.200.1. 14u7admin.htm 












NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 



Change Piisswoid 



Factory Defaults 
Upgrade Firmware 
Configuration Transfer 



Admin Password Setting 



Old Password 
New Password 



Confirm New Password Q 



Submit | Reset | 
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3. Enter the existing password in the Old Password data field. If this is the first time changing the 
password in the NetVanta 2000 series, this field will be blank. 



L,IJi|JJIllJMUJJ,^:IJJ M ). M ilBBf!ilJWff 












J File Edit View Favorites Tools Help 










JD 


Address |#] http://1 0.200.1. 14u7admin.htm 










d |j Tf? » 


NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 



Clnimje Passwoid 



Reboot System 
Save Settings 
Factory Defaults 
Upgrade Firm war 
Configuration Tra 



Admin Password Setting 



Old Password 
New Password 
Confirm New Password 
Session Timeout (sees) 




4. Enter the new password in both the New Password data field and Confirm New Password data 
fields. 



5 File Edit View Favoril 
Address £] http://1 0.200.1.1 



Favorites Xools Help 



Jl 



~3 |J ^S? 



■ CONFIG m ADMIN — POLICIES m MONITOR LOGOUT 




Admin Password Setting 



Old Password ** 
New Password 



Confirm New Password p 



Submit | Reset | 
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5. You may enter a Session Timeout (in seconds). Leaving this field blank results in a infinite Session 
Timeout. 



FlMIHfflTJ'iiiFJiB'tHMlfMmlffli 

J File Edit View Favorites Jpols Help 












Address |g] http://1 0.200.1. 14u7admin.htm 










d &*> |j » 


NetVanta — config 


m ADMIN 


« POLICIES 


« MONITOR 


LOGOUT 


i 



Old Password ** 
New Password 



Confirm New Password p 




Admin Password Setting 

Reboot System ~ 
Save Settings 
Factory Defaults 
Upgrade Firmware 
Configuration Transfer 





A Session Timeout less than 120 sec is not recommended. Having a short session 
timeout will make it difficult to configure the NetVanta 2000 series before timing out. 
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6. Once all fields are completed, click the Submit button to register the password change. Once the 
Submit button has been clicked, the Operation Result screen will appear. 



j'litiiHH^^iHii.'.HPWiiniHmiffle 

J File Edit View Favorites Tools Help 










^□ose 


Address |g] http://1 0.200.1. 1 40/admin.tri 














NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


ADUttTI 1 




Operation Result: 



Password changed successfully 



Login Again 



Id 

7. Click the Login Again hyperlink and enter admin as the username and the new password in the 
Password field. 



8. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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SAVING THE CURRENT SETTINGS OF THE NETVANTA 



Introduction 

After making a configuration change in the NetVanta 2000 series, it is necessary to save the new settings to 
non- volatile memory. If the changes are not saved, a power loss to the NetVanta 2000 series will result in a 
configuration loss. This DLP details the process for saving settings to NetVanta 2000 series non-volatile 
memory. 

Prerequisite Procedures 

This procedure assumes that the NetVanta 2000 series unit is connected to a PC with an internet browser 
and is powered up. Refer to DLP-001 for instructions on connecting the PC to the NetVanta 2000 series 
LAN port and logging in to the NetVanta 2000 series system. 

Tools and Materials Required 

No special tools or materials are required. 




r* To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-003 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 



2. From the main menu (located across the top of the screen), select Admin. 



ess 



File Edit View Favorites Tools Help 



Address 2] http://1 0.200.1. 14u7admin.htm 



Admin Password Setting 



Old Password 
New Password 



Confirm New Password Q 

... 



Submit Reset 




88 



©2002 ADTRAN, Inc. 



61200361L1-1E 



NetVanta 2000 Series System Manual 



Section 5, DLP-003 



3. From the menu list (located on the left side of the screen), select Save Settings. The save settings 
confirmation page will display. 



L,IJi|JJIllJMUJJ,^:IJJ M ).MilBBf!ilJWff 

J Hie Edit View Favorites Jpols Help 










JB 


Address |g] http://1 0.200.1. 14G7save.htm 











d ^go |j » 


NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 



Stive Settings 



Do you really wish to save the 
current NetVanta configuration? 




12] Done 



| \% Internet 



4. Select Yes to save the current NetVanta 2000 series settings to non-volatile memory. A status page 
will display when the settings have been successfully saved. 



□as 



Eile £dit View Favorites Tools Help 



Address fifhttp://1 0.200.1 .1 40/save.tri 

■ 




| \% Internet 




61200361L1-1E 



©2002 ADTRAN, Inc. 



89 



Section 5, DLP-003 NetVanta 2000 Series System Manual 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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SETTING THE TIME AND DATE IN THE NETVANTA 



Introduction 

Many security operations are time and date critical. This DLP provides the procedures for setting the 
NetVanta 2000 series system time and date to ensure proper operation. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-004 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Config. 
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3. From the menu list (located on the left side of the screen), select General. The General 
Configuration page will appear. 



ess 



Eile £dit View Favorites Xools Help 



Address |@] http://1 0.200.1 .1 40/general.htm 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * 

Change Date and Time? 

System Date 

System Time 

Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 



| Greenwich Mean Time (GMT) 

r 

[H-F^l- [200^1 (mm-dd-YWY) 
|2T| : |BT~| : [5~| (hr:min:sec) 
|ssg1 .adtran.com 

10.10.10.10 
i 



00:Al):C8:05:CI:B5 

MAC Address Masquerading □ 
MAC Address (current) * 



~3 



O &*° II ^? 



CONFIG — ADMIN h POLICIES « MONITOR LOGOUT 
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5. Select the appropriate time zone from the Time Zone drop-down menu (located in the upper third of the 
screen). 



L,IJi|JJIllJMUJJ,^:IJJ M ). M ilBBf!ilJB 

J File Edit View Favorites Tools Help 












Address |g] http://1 0.200.1. 14G7general.htm 










~3 |j » 


^^^^^^^ 














— ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


ADUWI 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:21 Hr:30 min:22 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 



Greenwich Mean Time (GMT) 



~3 



DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 00:A0:C8:05:CI:B5 
MAC Address Masquerading □ 
MAC Address (current) * 



Samoa (US) (GMT -11:00) 
Aleutian fUS'i fGMT -10:001 
Hawaii (US) (GMT -10:00) 
Alaska (US & Canada) (GMT -9:00) 
Pacific (US & Canada) (GMT -8:00) 
Mountain (US & Canada) (GMT -7:00) 
Arizona (US) (GMT -7:00) 
Central (US & Canada) (GMT -6:00) 
Michigan (US) (GMT -6:00) 
Eastern (US & Canada) (GMT -5:00) _»J 



O.O.O.O 




6. Enter the System Date and System Time in the appropriate fields. 



File Edit View Favorites Tools Help 



Address |#] http://1 0.200.1 .1 40/general.htm 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:21 Hr:30 min:22 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 



| Greenwich Mean Time (GMT) 

H-F^-EnoHfrnm-dd-yvvY) 

[IT : f^T : [T" (hr:min:sec) 
|ssg1 .adtran.com 

O-O-O-O 

o.o.o.o 



00:A0:C8:05:CI:B5 



MAC Address Masquerading □ 
MAC Address (current) * 



I 



CONFIG h ADMIN « POLICIES m MONITOR LOGOUT 
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7. Alternately, enter the address of a time server to be used (instead of the local NetVanta 2000 series 
date and time) in the Time Server Address field. 



□as 



File Edit View Favorites Xools Help 



Address [g] http://1 0.200.1. 14G7general.htm 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:21 Hr:30 min:22 sec 



Time Zone * 

Change Date and Time? 

System Date 

System Time 

Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 



| Greenwich Mean Time (GMT) 

HZZI - llZZI - I 2001 (mm-dd-yyyy) 
\Z3~ ;\3~ (hr:min:sec) 



on on 
on. on. on. on 
i ~ 



C8:05:CI:B5 

MAC Address Masquerading 
MAC Address (current) * 



~3 &*° IJ ^S? 



CONFIG h ADMIN h POLICIES m MONITOR LOGOUT 



8. Scroll to the bottom of the page and click the Submit button. 



CIS 



File Edit View Favorites Tools Help 



Address Q http://1 0.200.1. 1 40/general.htm 



Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:21 Hr:30 min:22 sec 



Time Zone * 

Change Date and Time? 

System Date 

System Time 

Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 



| Greenwich Mean Time (GMT) 
W 

[i - . |iT . |2001 (mm-dd-yyyy) 
W - W ■ F~ (hr:min:sec) 
ssg1.adtran.com 



on. on. on. on 



DHCP Client Host Name 

MAC Address (factory) 00:A0:C8:05:CI:B5 
MAC Address Masquerading 
MAC Address (current) * 



II 

~3 &** IJ ^S? 



Submit Reset 
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9. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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CONFIGURING THE LAN INTERFACE IP ADDRESS 



Introduction 

When the NetVanta 2000 series is connected to an IP network, there are several IP parameters that must be 
set in order for the unit to communicate with the network. These parameters are described in this DLP 
along with the procedures for setting them. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-005 



Perform Steps Below in the Order Listed 



If you are connected to the NetVanta 2000 series through the LAN interface, 
changing the LAN interface IP address will result in a loss of communication with 
the unit. Before changing the LAN IP address, follow the steps in DLP-012, 
Configuring the LAN Interface DHCP Server to assign the DHCP server a range of 
IP addresses on the same subnet as the new LAN IP address. 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Config. 



Eile £dit View Favorites Xools Help 



Address [#] http://1 0.200.1. 14G7general.htm 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * | Greenwich Mean Time (GMT) 

Change Date and Time? V 

System Date fi -|17 - 1£001 (rnrn-dd-yyyy) 

System Time piF" : [si : |eT~ (hr:min:sec) 

Time Server Address * |ssg1 .adtran.com 

DNS Server 1 Address |0 I . |0 I . |0 I . |o I 

DNS Server 2 Address |0 I . |0 I . |0 I . |5 I 
DHCP Client Host Name 

MAC Address (factory) 00:A0:C8:05:CI:B5 

MAC Address Masquerading V 
MAC Address (current) * 



~3 |J 



CONFIG h ADMIN h POLICIES h MONITOR LOGOUT 
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3. From the menu list (located on the left side of the screen), select Network Interface. This displays 
the Ethernet Config page. 



A, 

r 



File Edit View Favorites Tools Help 



Address |#] http://1 0.200.1 .1 40/ether.htm 



II 

~3 e>*- II Iff 



CONFIG — ADMIN h POLICIES m MONITOR LOGOUT 



Netwoik Interface 
> Ethernet config 



Ethernet IP Address 




Done 



| |$ Internet 



4. Enter the IP address for the LAN side of the NetVanta 2000 series in the Lan IP field. Enter the 



appropriate subnet mask in the field below. 



File Edit View Favorites J_ools | Help 



Address |© http://1 0.200.1 .1 40/ether.htm 



~3 <^o 



■ CONFIG m ADMIN « POLICIES « MONITOR LOGOUT 




Ethernet IP Address 



LAN IP |10 . |10 . |20 . [? 

Subnet Mask |255 . |255 . |255 . [0 ' 

WAN IP TYPE C Dynamic S Static C PPP over Ethernet 

wan ip n 

Subnet Mask || | . | | . | | . |^ 

Change Password ? H 
Password | 



Password Confirmation | 
AC Name \~ 

I Submit I Reset I 



Done 



|$ Internet 
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5. Scroll to the bottom of the screen and click the Submit button. The screen will blink and you will return 
to the Ethernet Config page. 

6. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 

7. If you are connecting to the unit via the LAN interface, it will be necessary for you to log into the unit 
again once the IP address has been changed (see DLP-001 for details). 

Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 



100 



©2002 ADTRAN, Inc. 



61200361L1-1E 



CONFIGURING THE WAN INTERFACE USING DYNAMIC OR STATIC IP 

ADDRESSING 



Introduction 

The NetVanta 2000 series supports three IP addressing schemes on the WAN interface — dynamic, static, 
and PPP over Ethernet (PPPoE). This DLP discusses the procedure for using either the dynamic IP or static 
addressing schemes. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-006 



Perform Steps Below in the Order Listed - Dynamic Addressing 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Config. The Ethernet Config 
page will appear. 



File Edit View Favorites Tools Help 



Address g] http://1 0.200.1. 140/ether.htm 



II 

~3 |j 



Netwoik Interface 
> Ethernet config 



CONFIG h ADMIN m POLICIES m MONITOR LOGOUT 



Ethernet IP Address 



LAN IP |10 . |10 . p - . f? 

Subnet Mask |255 . |255 . |255 . [o 




Done 



| \% Internet 
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3. Select the Dynamic radio button in the WAN IP Type Configuration section. 





Ethernet IP Address 



<• Dynamic C Static <~ PPP over Ethernet 



Change Password ? □ 
Password | 
Password Confirmation | 



| Submit | Reset | 



£1 Done 



I I fsC Internet 



4. 



5. 



Scroll to the bottom of the screen and click the Submit button. The screen will blink and you will return 
to the Ethernet Config page. 

Some Service Providers require the use of a unique DHCP Client Name to acquire an IP address 
dynamically. Enter this unique name (given to you by your provider) by selecting Config from the main 
menu (located across the top of the screen) and then selecting General from the menu list (located 
down the left side of the screen) and typing it in the DHCP Client Name field. 



File Edit View Favorites Xools Help 



Address |g http://1 0.200.1 1 40/geneial.htm 



II 

H ^° II ^» 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:10 Hr:11 min:44 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Seiver 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 
MAC Address Masquerading \~ 
MAC Address (current) * 



G re e n wi ch M e an Ti rn e (G MT) T 

r 

|l | - [T^| - [1998 (mm-dd-yyyy) 
|~~ : |~~ : I"" (hr:min:sec) 
ssgl .adtran.com 

o.o.o.o 

|j5doe354difs 



00:A0:C8:05:CI:B5 
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6. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 



Perform Steps Below in the Order Listed - Static Addressing 



1 . Connect the NetVanta 2000 series to a PC and initiate an active browser session (see DLP-001 for 
details). 

2. From the main menu (located across the top of the screen), select Config. The Ethernet Config 
page will appear. 



LIJi|JJIllJMUJJ,^:IJJ M ).MilBBf!ilJWff 

J E'le Edit View Favorites Tools Help 












Address |g] http://1 0.200.1. 14G7ether.htm 












NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 

ADUWI ■ 
■ 



Netwoik Interface 
> Ethernet config 




I Ethernet IP Address I 


LAN IP 


FH . FH . EH . |T~| 


Subnet Mask 


|£55 . |£55 . |255 . [o 


WAN IP TYPE 


C Dynamic G Static C PPP over Ethernet 


WAN IP 


|10 . |200 . [1 . |140 


Subnet Mask 


EH . EH . F~| . EH 



Service Name 



Change Password ? □ 



] Password Q 



Password Confirmation | 
] AC Name Q 



tj Reset | 



Done 



| |$ Internet 
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3. Select the Static radio button in the WAN IP Type Configuration section. 



J E'le Edit View Favorites Tools Help 
Address [g] http://1 0.200.1. 1 40/ether.htm 



~3 |j 



CONFIG — ADMIN h POLICIES « MONITOR LOGOUT 



Neiwoik Interface 
> Ethernet config 




Ethernet IP Address 



LAN IP [To . [To - . . [? 

Subnet Mask |£55 . |£55 . |?55 . [0 



WAN IP TYPE r Dynamic G Static O PPP over Ethernet 
WAN IP I |.| I.I |.| 

Subnet Mask || | . | | , | | . Q 



PPP over 



Service Name 



Change Password ? □ 
Password f" 



Password Confirmation | 
AC Name |~~ 



Reset | 



Done 



| \% Internet 



4. Enter the IP address of the NetVanta 2000 series WAN interface in the WAN IP data field. Enter the 
appropriate subnet mask in the fields below. 



Eile Edit View Favorites Xoo's Help 



J Address |@ http://1 0.200.1. 1 40/ether.htm 



II 

~H &Bo |j Iff 



CONFIG — ADMIN h POLICIES « MONITOR LOGOUT 



Neiwoik Interface 
> Ethernet config 




Ethernet IP Address 



LAN IP |10 . |10 . |20 . [? 

Subnet Mask |£55 . |£55 . |?55 . [0 

WAN IP TYPE r Dynamic G Static O PPP over Ethernet 

WAN IP |10 . |200 . [1 . |140 

Subnet Mask |£55 . |£55 . [0 . [0 



PPP over 

■ 



Change Password ? □ 
Password f" 



Password Confirmation | 
] AC Name Q 



Submit I Reset | 



Done 



I |$ Internet 
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5. Scroll to the bottom of the screen and click the Submit button. The screen will blink and you will return 
to the Ethernet Config page. 

6. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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CONFIGURING THE WAN INTERFACE FOR PPPoE ADDRESSING 



Introduction 

The NetVanta 2000 series supports three IP addressing schemes on the WAN interface — dynamic, static, 
and PPP over Ethernet (PPPoE). This DLP discusses the procedure for using the PPPoE addressing 
scheme. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-007 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Config. The General page will 



appear. 



OS 



Eile £dit View Favorites Tools Help 



Address |g] http://1 0.200.1 .1 40/general.htm 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 00:A0:C8:05:CI:B5 
MAC Address Masquerading 
MAC Address (current) * 



| Greenwich Mean Time (GMT) 

r 

IHZI - EzZI - \ 2m I (mm-dd-yyyy) 
H]:|ID:[D(hr:min:sec) 

ssg1.adtran.com 

on on 
i i 



CONFIG — ADMIN h POLICIES h MONITOR LOGOUT 
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3. From the menu list (located on the left side of the screen) select Network Interface. The Ethernet 
Config page will appear. 



□as 



SEile Edit View Favoril 
Address £] http://1 0.200.1.1 



Favorites Tools Help 



Neiwoik Interface 
onfig 



Ethernet IP Address 



LAN IP |10 | . |10 | , |20 | . I? | 

Subnet Mask |£55 . |£55 . |255 . [o 

WAN IP TYPE r Dynamic S Static C ppp over Ethernet 

WAN IP |10 . |200 . [1 . pM0~ 

Subnet Mask |£55 . |£55 . [o . [o 



PPP over 
Ethernet 

Username 



Change Password ? □ 
Password | 



Password Confirmation |~~ 
] AC Name 



tj Reset | 



~3 |J 



CONFIG h ADMIN h POLICIES m MONITOR LOGOUT 



2] Done 



| |$ Internet 



4. Select the PPP over Ethernet radio button in the WAN IP Type Configuration section. 

Llil|JJUimUJJ,H:IXm'IIJI^ ^jsj xj 




Done 



| |$ Internet 
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5. Enter the username (provided by your service provider) in the Username field in the PPP over 
Ethernet configuration section. 



LIJi|JJIllJMUJJ,^:IJJ M ).MilBBf!ilJWff 

J Hie Edit View Favorites Jpols Help 








■a 


Address |g] http://1 0.200.1. 14G7ether.htm 








d ^go |j » 


NetVanta — config 


m ADMIN 


« POLICIES h MONITOR 


LOGOUT 


i 



Neiwoik Imeiface 
> Ethernet config 



Ethernet IP Address 



LAN IP |10 . |10 . J20 . |7 

Subnet Mask |£55 . |£55 . |?55 . [o 

WAN IP TYPE r Dynamic C Static G PPP over Ethernet 

WAN IP |10 . |200 . [1 . pM0~ 

Subnet Mask |£55 . |£55 . [o . [o 



PPP over 

■ 



Change Password ? 13 
Password 



Service Name 



Password Confirmation | 
] AC Name Q 



| Submit | Reset | 



Done 



| |$ Internet 



6. Enter the password for the username entered in Step 4 in both the Password and Password 
Confirmation fields. 



□as 



Eile £dit View Favorites Tools Help 



Address £] http://1 0.200.1. 1 40/ether.htm 



II 

~3 |J If? 



CONFIG — ADMIN h POLICIES m MONITOR LOGOUT 




2] Done 



| |® Internet 
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For most applications, the Service Name and AC Name (Access Concentrator) fields 
should remain blank. Only populate these fields if specific information has been provided 
by the service provider. 



7. Scroll to the bottom of the screen and click the Submit button. 



Flmfl i l^roJ i iiiFJiB'tffl ! mfl[Mmlffli 

J File Edit View Favorites Tools Help 










JB 


J Address [#] http://1 0.200.1. 14G7ether.htm 










d ^go |j » 


NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 




|g Done | |$ Internet 

8. Follow the procedures outlined in DLP-003 to save the settings to nonvolatile memory. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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UPGRADING THE FIRMWARE OF THE NETVANTA 2000 SERIES 



Introduction 

The NetVanta 2000 series supports firmware updates via the LAN and WAN interfaces and an active 
Admin login session. Using an active browser session and the provided GUI, the NetVanta 2000 series may 
be upgraded by loading firmware files(.bin) into the unit. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials are required. 




The NetVanta 2000 series upgrade firmware feature is only available using the Internet 
Explorer web browser. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-008 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Admin. 
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3. From the menu list (located down the left side of the screen), select Upgrade Firmware. While this 
page is loading, you will be asked to install and run a Java applet distributed by ADTRAN, Inc., and 
verified by VeriSign Commercial Software Publishers. If security is not enabled on your internet 
browser, the screen below will not be shown. 



J File Edit View Favorites Tools Help 


IB 


Address |#] http://1 0.200.1. 14G7upgrade.htm 


d OB. || Tf? » 





NetVanta 


« CONFIG 


— ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 






4. Click Yes to install and run the Java applet. 




The Java script must be installed for the firmware update capabilities to function properly. 
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5. Enter the filename (including path) of the firmware file you wish to load. Firmware files for the NetVanta 
2000 series will have a .bin extension. 



J File Edit View Favorites Jpols Help 




Address |gS] http://1 0.200.1. 14G7upgrade.htm 





NetVanta hconfig admin — policies ™ monitor logout AIHRATI 



* Upgrading the firmware will halt all traffic 

* After upgrading, the unit will reboot, and you must Login Again 



| | |« Internet 




116 



©2002 ADTRAN, Inc. 



61200361L1-1E 



NetVanta 2000 Series System Manual 



Section 5, DLP-008 



6. Click the Upgrade button to begin the upgrade. 



All settings not saved into nonvolatile memory (following the procedures in 
DLP-002) will be lost during the firmware upgrade. 



During the firmware upgrade, all traffic will be halted through the NetVanta 2000 series. 
The unit will reboot and you will be asked to log in again. 



7. Log in to the NetVanta 2000 series using the admin username and appropriate password to continue 
configuration. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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SAVING THE CURRENT CONFIGURATION OF THE NETVANTA 



Introduction 

The NetVanta 2000 series supports configuration transfers from the unit (via either the LAN or WAN 
interface) using an active browser session. This DLP provides the steps to follow for a successful 
configuration transfer using a PC and an active browser session. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-009 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select ADMIN. 
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3. From the menu list (located on the left side of the screen) select Configuration Transfer. 



J File £dit View Favorites Tools Help 












J Address |#] http://1 0.200.1 .1 4G7configup.htm 










d &*° |j 


NetVanta — config 


m ADMIN 


« POLICIES 


« MONITOR 


LOGOUT 


ADUW1 | 




2] Done 



| |$ Internet 



4. In the Configuration Download dialog box, click the Download button. A Windows file download dialog 
box will appear. Click the Save file to disk radio button and click OK. 



Ad 

r 



File Edit View Favorites Tools Help 



Address | J htt P :/Vl 0. 200. 1 . 1 40/configup. htm 



~3 



-J 



■ CONFIG = ADMIN m POLICIES m MONITOR LOGOUT 



Configuration Transfer 




Configuration Upload 



You have chosen to download a file from this location 
config.bin from 10.200.1.140 

What would you like to do with this file? 

" Open this file from its current location 
' : * [Save.thisjje ^ 

W Always / type of file 



| OK I Cancel | More In 



m 



| |$ Internet 
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5. In the Save As dialog box enter the name for the NetVanta configuration file (all filenames must have a 
.bin extension). Browse to the location where you would like to save the file and click the Save button. 



File Edit View Favorites J_ools Help 



Address | J hHp:/V1 0.200. 1 . 1 40/configupiitm 



-Ifllxl 



urn 

3 



■ CONFIG ADMIN « POLICIES « MONITOR 



Configuration Transfer 




Done 



| jj§ Desktop 



^Computer! 
^Network 
llENGInfo 

^1 IN PROGRESS Wednesday 

j*] config.bin 

1*1 upgrade-2.1.bin 



I config.bin 



ss type: | . bin Document 



~3 _\&]\mm\ 



- 



_ZJ Cancel | 



| |$ Internet 



6. A Windows File Download status dialog will briefly display showing the current status of the download. 



File Edit View Favorites lools Help 



Address |g] NtpT/l 0 200 1 1 40,'configup.htm 



r 



■ CONFIG ADMIN « POLICIES « MONITOR LOGOUT 



Configuration Transfer 



Configuration Upload 



Download Complete 



Saved: 

config.bin from 10.200.1.140 



Downloaded: 1.68 KB in 1 sec 

Download to: C:\WINDOWS\DESKTOP\config.bin 

Transfer rate: LGSKB/Sec 

V Llo:e Un: dialog box ■.■■■.'hen download complete:. 



□ pen | Open Folder | | Close | 
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7. Using your file manager, check to make sure your configuration file was saved in your desired location. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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LOADING A SAVED CONFIGURATION INTO THE NETVANTA 



Introduction 

The NetVanta 2000 series supports configuration transfers from the unit (via the LAN interface) using an 
active browser session. This DLP provides the steps to follow for a successful configuration transfer using 
a PC and an active browser session. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




The NetVanta 2000 series upgrade firmware feature is only available using the Internet 
Explorer web browser. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-010 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select ADMIN. 



L,IJi|JJIllJMUJJ,^:IJJ M ).MilBBf!ilJWff 

J File Edit View Favorites Tools Help 










JD 


Address £] http://1 0.200.1. 14u7admin.htm 










d |j Tf? » 


NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


i 



Clmmje Passwoid 



Reboot System 
Save Settings 
Factory Defaults 
Upgrade Firmware 
Configuration Transfer 



Admin Password Setting 



Old Password ** 
New Password 



Confirm New Password 
Session Timeout (sees) 




126 



©2002 ADTRAN, Inc. 



61200361L1-1E 



NetVanta 2000 Series System Manual 



Section 5, DLP-010 



3. From the menu list (located on the left side of the screen) select Configuration Transfer. 



J File Edit View Favorites Tools Help 












J Address |#] http://1 0.200.1 .1 4G7configup.htm 










d &*° |j 


NetVanta — config 


m ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 








2] Done 



| |9 Internet 



4. 



In the Configuration Upload dialog box either enter the filename of the configuration file you want to 
load into the unit (including path), or click the Browse button to open a Windows Choose file dialog box 
and select the desired file. All configuration files for the NetVanta 2000 series must have a .bin 
extension. 



Help 



s |© http://1 0.200.1 .1 40/configup.htm 



D 



■ CONFIG ADMIN « POLICIES « MONITOR LOGOUT 




Configuration Transfer 





Look in: |^ Desktop d*| [Hj|| 


JP Computer 


Send Update-7_27_01.doc 


S3 Shortcut tod l 


^Network 


Fonelist 


I^JSmartForce 1 


I ENG Info 


jj] mm to inch converter! 


JIT era Term p| 


1 1 N PR U U R E S S Wednesday i£] Product People 


1*1 upgrade-2.1. II 




t_JProvider.PDF 


[pWkld 


BIBB 


SProviderSignup.PDF 




<l I M 




Filename: | config. bin 




| Open | 


Files of type: | All Files 


B 


Cancel | 







$ Internet 
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5. In the Configuration Upload dialog box click the Upload button. If a successful upload is completed, 
the unit will display the status message in the Configuration Upload dialog box. 



Experts Choose ADTRAN - Microsoft Internet Explorer 




J File Edit View Favorites Xoo's Help 




J Address |@ http://10.200. 1.1 40/configupload.cgi 


J ^Go |j -Yf^} 




£] Done 



|$ Internet 



6. Once the upload is complete the NetVanta 2000 series unit will reboot to install the new configuration. 
You will need to log in to the unit after the reboot is complete (see DLP-001 for details). 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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Introduction 

The NetVanta 2000 series contains an internal router which allows multiple users to share a VPN 
connection while the unit is still directing incoming IP traffic. The NetVanta 2000 series router supports 
standard TCP/IP operation, static routes, and the use of RIP VI and V2. This DLP discusses the procedure 
for adding a default route to the NetVanta 2000 series route table. 



Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 



If you are using Static IP addressing on your WAN interface your Internet Service 
Provider must provide you with the IP address of your first hop router. If you are using 
DHCP (Dynamic) or PPPoE addressing, please complete the steps in DLP-022, Viewing 
the DHCP Info Table before beginning this DLP. You will need to record the IP address 
listed next to Gateways in the WAN interface column. 



Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
lightning storm. 



61200361L1-1E 



©2002 ADTRAN, Inc. 



129 



Section 5, DLP-011 



NetVanta 2000 Series System Manual 



DLP-011 




176.124.37.80-i 
(WAN Address) 



7 



NetVanta 


4 


Broadband 




2100 




MODEM 


-i 



10.10.10.1 
(LAN Address) 




10.70.240.1 


/ 


10.72.280.1 


VPN GW 




ROUTER 





/ 



192.22.76.40 >- 10.70.240.1 
(WAN Address) 



Corporate 
Network 



Perform Steps Below in the Order Listed - Default Route 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Config. 



OSS 



Eile £dit View Favorites Xools Help 



Address £] http://1 0.200.1. 14G7general.htm 



~3 &** |j 



CONFIG h ADMIN « POLICIES m MONITOR LOGOUT 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 

MAC Address (factory) 00:A0:C8:05:CI:B5 

MAC Address Masquerading f 
MAC Address (current) * 



Greenwich Mean Time (GMT) 

r 

[5H-FH- ISOOI I (mm-dd-yyyy) 
H];|5^;[0(hr:min:sec) 
|ssg1 .adtran.com 

□.□.to. to 
io.io.io.to 
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3. From the menu list (located on the left side of the screen) select Routes. 



FiMfHiffffTJ-tiifiaiaB 

J File Edit View Favorites Tools 


Help 












Address |#] http://1 0.200.1. 140Aouttabl.htm 




















■ J 




CONFIG 


1 

■ 


ADMIN 




LOGOUT 







Routing Table 




Select 


DestinationIP 


InterfaceName 


NetMask 


Gateway IP 


HOP Count 


Type 


r 


10.10.20.0 


LAN 


255.255.255.0 


0.0.0.0 




LOCAL 


r 


10.200.0.0 


WAN 


255.255.0.0 


0.0.0.0 


0 


LOCAL 


r 


0.0.0.0 




0.0.0.0 


10.200.254.254 


0 


LOCAL 



|@ Done | |$ Internet 

4. Click the Add Route button found in the Route Table dialog box. The Routing Information page will 
appear. 



mm 



File Edit View Favorites Tools Help 



Address | J hitp://1 0.200. LUOAoutetab.tri 



CONFIG h ADMIN m POLICIES m MONITOR LOGOUT 



Routing Information 



Interface Name |CORPjJ 

Default Route G Yes C No 

Destination IP Address | | . | | . | | . | 

Net Mask | | . | | . | | . | | 

Gateway IP Address | | . | | . | | . | 

Hop Count | 

Add Route I Reset I 



~3 



D 




^] Done 



| |$ Internet 
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Select the interface associated with the new route from the Interface Name drop down menu. The 
options are CORP (the LAN interface) and WAN. Select WAN to add a default route. 



yiJi|.IJIllJMUJJ,^:HJ M milBa 

J File Edit View Favorites lools Help 
I Ac 



Address | J hitp://1 0.200. 1 .UOAouleiab.tri 



D 




CONFIG h ADMIN m POLICIES m MONITOR LOGOUT 



Routes 
> Edit 



Routing Information 



Interface Name |CORPjJ 

Default Route L^'j No 

Destination IP Address | | . | | . | | . | 

Net Mask | | . | | . | | . | | 

Gateway IP Address | | . | | . | | . | 

Hop Count | 





m 



| |$ Internet 



6. Specify whether this route is the default route by selecting the appropriate radio button next to Default 
Route. For this example we will be entering the default route so Yes will be selected. 



5 Hie Edit View Favorites 
Address |#] http://10.100.12.71/ 




12] Done 



| |$ Internet 
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7. Enter the IP address of the far-end network in the Destination IP Address field. For this example we 
are entering a default route so the Destination IP Address will be 0.0.0.0. 




| |$ Internet 



8. Enter the subnet mask for the far-end network in the Net Mask field. For this example we are entering 
a default route so the Net Mask will be 0.0.0.0. 



Eile Edit View Favorites Xools Help 



Address [1] http://10.100.12.71/routetab.tri 



~3 &*° II ^? 




| |$ Internet 
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9. If you are using Static IP Addressing on the WAN interface, enter the IP address of the next hop router 
(provided by your ISP). Alternately, if you are using DHCP (Dynamic) or PPPoE addressing, enter the 
IP address found in the DHCP Info window (see DLP-022 for details). 




ADMIN h POLICIES m MONITOR LOGOUT 




DHCP Client Dynamic Interface Information 



Interface Name 
Current State 

Interface Address 
Leased Time(sec) 
Subnet Mask 
Broadcast 

DNS Servers 



Not Dynamic Interface 



Interface Name eth1 

Current State BOUND 

Lease Obtained Date & Time Fri Jan 2 08:39:27 1998 

Interface Address 



. : 

Subnet Mask 

: 

DNS Servers 

Release R 



255.255.255.0 

172.124.37.255 

172.124.37.252 

207.230.75.222 ,207.230.75.221 ,207.230.75.34 




m 



| |$ Internet 



10. Enter the number of routers a packet would travel through to reach its destination in the Hop Count 
field. This field is optional and will be left blank for this example. 

11 . Click the Add Route button to submit the route to the route table. 

12. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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CONFIGURING THE LAN INTERFACE DHCP SERVER 



Introduction 

The NetVanta 2000 series contains an internal DHCP server to manage IP addresses on the local network. 
The DHCP server functions on the LAN interface only. This DLP discusses the procedure for configuring 
the DHCP server for standard operation. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-012 


10.10.10.2 
to 

10.10.10.20 




• • * 4 NMVanta ZIOO 
till 


10.10.10.70 


n 


\ 


lO 

10.10.10.9 

10.10.10.150 
to 

10.10.10.170 


10.10.10.1 —I _ 
(LAN Address) 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select CONFIG. 



CSS 



Eile £dit View Favorites Xools Help 



J Address |© http://1 0.200.1 .1 4G7general.htm 




■ CONFIG — ADMIN — POLICIES « MONITOR 



Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 

MAC Address (factory) 00:A0:C8:05:CI:B5 

MAC Address Masquerading f 
MAC Address (current) * 



| Greenwich Mean Time (GMT) 

r 

[5~l-[i"H- 12001 I (mm-dd-yyyy) 
[22~| : [S1~| : |5 I (hr:min:sec) 
|ssg1 .adtran.com 

O-O-O-O 

o.o.o.o 



3 &*° II ^? 
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3. From the menu list (located on the left side of the screen) select DHCP Server. The DHCP Server 
Configuration page will appear. 





DHCP Enabled 



IP Address Rangel [To 


Fd I 




[l0 TO 




ED 






IP Address Range2 | | 


n 


n 




□ 


□ 


n 


n 


IP Address Range3 | | 




n 




□ 


□ 


n 


n 


Gateway IP Address |To 






□ 


DNS1 |1U | 






0 


DNS2 


n 


n 


n 


Lease Duration |43200 






Seconds 



Submit Reset 




m 



I % Internet 



4. Click the DHCP Enable Yes radio button to enable the DHCP server. The DHCP server is enabled by 
default. 
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5. Enter the selected range of IP addresses to be assigned by the NetVanta 2000 series DHCP server in 
the IP Address Range 1-3 fields. If only one range of IP addresses are desired, enter them in the IP 
Address Range 1 field. For our example we will enter three separate ranges. 



j| Experts Choose AD T RAN - Microsoft Internet Explor 



File Edit View Favorites Xoo's Help 



Address [^j http://10.200.1 140/dhcpcnf.htm 




~3 &*° |ne? 



MONITOR LOGOUT 



|® Internet 



6. Enter the LAN IP address of the NetVanta 2000 series unit in the Gateway IP Address field. For our 
example we will enter 10.10.10.1. 



□53 



File Edit View Favorites Xoo's Help 



Address http://10.200.1 140/dhcpcnf.htm 



~3 





IP Address Rangel |10 
IP Address Range2 [To 

ED 

IP Address Range3 [To 

ED 

Gateway IP Address [To 
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DNS2 

Lease Duration [43200 



.ed 






■ ED 


iio- 




■ ED 


ED 


HD 


.ed 




E^cTto 


.ED 


ED 


ED 


■ ED 


|io~ 




.□ 


n 


n 


.□ 


n 


n 



yubrnit Reset 



1 9 Internet 
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7. Enter the IP address for the primary DNS server you wish the NetVanta 2000 series to use in the DNS 
1 field. For our example we will use the DNS capability of the NetVanta 2000 series so we will enter the 
LAN IP address (10.10.10.1) in the DNS 1 field. You may enter a secondary DNS server in the DNS 2 
field. 



□53 



File Edit View Favorites Xoo's Help 



J Address |Sfhttp://1 0.200.1 .1 4G7dhcpcnf.htm 




m 




DHCP Server Configuration 1 


DHCP Enabled G Yes C No 




IP Address Rangel |10 ].|10 |.|l0 | 




Fo I . [To I . [To | 




IP Address Range2 |10 |.|l0 |.|l0 | 




Fo I . [To I . FTo | 




IP Address Range3 |10 .|10 |.|l0 | 


.[TbcTto 


[To I . [To | . [To I 




Gateway IP Address [To . |10 | . |l0 | 




DNS1 |10 |.|10 |.|10 | 




DNS2 | .| .| ; 


.n 


Lease Duration |43200 


Seconds 



yubrnit P.eset 




\% Internet 



8. Enter the number of seconds you want the NetVanta 2000 series to use for the active lease timer in 
the Lease Duration field. We will use the default 43,200 seconds for this example. 
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9. Click the submit button to make the changes take effect. The page will blink and return you to the 
DHCP Server Configuration page. 

10. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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DEFINING A USER GROUP IN THE NETVANTA 



Introduction 

The NetVanta 2000 series has the flexibility to allow policies to be implemented on a per-user basis. With 
the User Group component tables you are able to create groups and assign users that share the same access 
policies. The User Group feature allows each policy to be implemented dynamically as the user logs on 
and off the system. This DLP discusses the procedure for creating a user group in the NetVanta 2000 
series. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. Click the Add button in the User Group dialog box. The Group Configuration page will appear. 



File Edit View Favorites Tools 



Address | J http7/1 0.200 1.1 41 /IAPG TAB in 



~3 p>Go Links 





Group Configuration 



Group Name ] 
Authentication Type □ HTTP 

r ike 

IKE Policy Name [3 

Submit I Reset I 



Done 



1 0 Internet 



4. Enter a descriptive name for the group in the Group Name field. This is a character field for up to 16 
characters, and spaces are not allowed. 



File Edit View Favorites Tools Help 



-Ifllxl 



Address j J hiip://1 0.200.1 141 /IAPG TAB. hi 



~3 £>S° | J Links 





Group Configuration 



Group Name j~~ 



Authentication Type f HTTP 

r ike 

IKE Policy Name ] 



Submit | Reset | 



1 0 Internet 
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5. Select the appropriate authentication type (HTTP or IKE) checkbox. This field may be left blank if no 
authentication is necessary. 



j| Experts Choose AD T RAN - Microsoft Internet Explorer 
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m POLICIES 
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> Add 



Group Configuration 




Group Name |Rern oteUser 
Authentication Type f HTTP 



IKE Policy Name \~ 



Submit | Reset | 



m 



|.£ Internet 



6. If IKE was selected as the authentication method in Step 5, select the appropriate IKE policy from the 
IKE Policy Name drop down menu. 



H Experts Choose AD T RAN - Microsoft Internet Explor 



File Edit View Favorites Tools Help 
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Group Configuration 



Group Name |Rern oteUser 
Authentication Type □ HTTP 

0 IKE 
IKE Policy Name [~ 



Submit | Reset | 



m 
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7. Click the Submit button to add the configured group to the User Group component table. If the group is 
successfully added the User Group page will appear and the added group will be listed. 




Done 



User Group 



Select Group Name HTTP Authentication IKE Authentication Access Policies SPD Policies 
O RemoteUser no yes no no 

Add | Delete | Edit] Clear | ConfiguredPolicies | 



■3 Experts Choose AD T RAN - Microsoft Internet Explorer 
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j P>Go | J Links 
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m POLICIES 
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LOGOUT 





1 0 Internet 



8. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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ADDING A USER TO THE USERS COMPONENT TABLE 



Introduction 

The NetVanta 2000 series has the flexibility to allow policies to be implemented on a per-user basis. With 
the User Group component tables you are able to create groups and assign users that share the same access 
policies. The User Group feature allows each policy to be implemented dynamically as the user logs on 
and off the system. This DLP discusses the procedure for adding a user to a user group in the NetVanta 
2000 series. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select Users (listed as a Manage Lists 
submenu). 



-=J Experts Choose AD T RAN - Microsoft Intern 


et Explorer 




File Edit Vie"/-.' Favorite: Tool: Help K ' J 
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LOGOUT 
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Manage Lists 



Schedule 
NAT 

Access Policies: To LAN 
Access Policies: From LAN 
Access Policies: To DMZ 
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Select User Name Group Name Inactivity Timeout 
Add | Delete | Edit | CLEAR | 



Done 



4. Click the Add button in the Users dialog box. The User Configuration page will appear. 
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Password 
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Login TimeOut 
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5. Enter a descriptive name for the User in the User Name field. This is a character field and spaces are 
not allowed. 
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User Configuration 
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| Submit | Reset | 
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6. Enter the assigned password in both the Password and Confirm Password fields. This will be the 
user's log on password to activate the associated policies. 
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7. Select the group you want to assign this user to in the Group Name drop down menu. 
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8. Enter the login timeout you want to assign to this user in the Login Timeout field. 
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9. Click the Submit button to add the configured user to the Users component table. If the user is 
successfully added the Users page will appear and the added user will be listed. 
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Done 



Select User Name Group Name Inactivity Timeout 

O JDoe RemoteUser 600 

Add I Delete I Edit! CLEAR 




10. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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USING THE IP ADDRESS COMPONENT TABLE 



Introduction 

When configuring the NetVanta 2000 series, IP addresses are used repeatedly in many different 
components of the setup. To make the configuration process easier, the NetVanta 2000 series is equipped 
with an IP Address Component Table. The IP Address Component Table stores entered IP addresses for 
use throughout the configuration. This DLP discusses adding an IP address to this table. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-015 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select IP Address (listed as a Manage Lists 
submenu). 
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4. Click the Add button in the IP Address dialog box. The IP Address Configuration page will appear. 
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5. Enter a descriptive name for the IP address in the IP Name field. This is a character field and spaces 
are not allowed. 
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6. Specify what type of IP address this record will hold. The IP Address Component Table can hold single 
IP addresses, a range of IP addresses, an entire subnet of addresses, or any address. Click the 
appropriate radio button. 
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.J Done 
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7. Enter the IP address for this record in the IP Address 1 and 2 fields located at the bottom of the IP 
Address Configuration dialog box. Enter a single IP address in the IP Address 1 field. Enter a range 
using both fields. Enter a subnet of IP addresses by putting the network IP address in the IP Address 
1 field and the subnet mask for that network in the IP Address 2 field. 
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8. Click the Submit button to add the configured IP address to the IP Address component table. If the IP 
address is successfully added the IP Address page will appear and the added address will be listed. 
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9. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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ADDING A SERVICE TO THE SERVICES COMPONENT TABLE 



Introduction 

When configuring the NetVanta 2000 series, references to specific services (using port numbers) can be 
used over and over again in many different components of the setup. To make the configuration process 
easier, the NetVanta 2000 series is equipped with a Services Component Table. The Services Component 
Table stores entered services (using port numbers) for use throughout the configuration. This DLP 
discusses adding a service to this table. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-016 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select Services (listed as a Manage Lists 
submenu). 
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4. Click the Add button in the Services dialog box. The Service Configuration page will appear. 
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5. Enter a descriptive name for the IP address in the IP Name field. This is a character field and spaces 
are not allowed. 
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6. Specify whether this uses TCP or UDP protocol by selecting the appropriate radio button next to the 
protocol. 
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7. Enter the port number associated with the service for this record in the Port Number field. 
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8. Click the Submit button to add the configured service to the Services component table. If the service is 
successfully added the Services page will appear and the added service will be listed. 
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9. Follow the procedures in DLP-003 to save the settings to non-volatile memory. 
Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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GENERATING A SELF-CERTIFICATE REQUEST 



Introduction 

The NetVanta 2000 series supports the use of both RSA and DSS Signature Algorithm Certificates. The 
NetVanta 2000 series provides the capability to generate self-certificate requests, and maintains a listing of 
private keys (certificate requests) that currently have no public key (self-certificate assigned by the 
Certificate Authority). 

Always contact your Certificate Authority (VeriSign, Entrust, etc.) before generating your self-certificate 
request. The parameters configured in your request must match what the Certificate Authority requires for 
you to receive your self-certificate. Once the request is generated, follow your Certificate Authority's 
guidelines for supplying them with your request. Many Certificate Authorities allow e-mail requests, but 
some do not. 

This DLP discusses the steps for generating a self-certificate request and submitting it to a SSH 
Communications Security test certificate website (isakmp-test.ssh.fi) to receive the corresponding 
self-certificate. DLP-018 discusses uploading your Certificate Authority's certificate into the NetVanta 
2000 series and DLP-019 discusses uploading the received self-certificate. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 



Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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DLP-017 



Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select VPN. The IPSec Policies page will 
appear. 
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Done 



1 0 Internet 



4. From the menu list (located on the left side of the screen) select Certificates (listed as a VPN 
submenu). 
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5. In the Self-Certificate section of the page click the Generate Request button. The Request parameters 
box appears. 



■3 Experts Choose AD T RAN - Microsoft Internet Explorer 








mmm 


File Edit View Favorites lools Help 












Address |g] http7/1 0.200. 1.1 41 /self cert. tri 








j P>Go | J Links 






J 


NetVanta hCONFIG « admin 


m POLICIES 


— MONITOR 


LOGOUT 


ADUW1 




Name Subject 
| ~] C=US,CN=| 



Siqnature ., . Hash 
Algorithm Ke * Len 9 th Algorithm 

~~ |RSA J 1 512 J |Md5 J 
Reset I 



Certificates 

> Generate Request 



12] Done 



■£) Internet 



6. Enter a text string (up to 7 characters with no spaces) in the Name field. This name is locally significant 
and should be used to identify different certificate requests generated in the same NetVanta 2000 
series unit. 
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7. Enter a subject name to be used when generating the certificate request. For our example we will use 
the fully qualified domain name (FQDN) of the test NetVanta 2000 series unit. 
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8. Select the desired algorithm for generating the certificate request from the Signature Algorithm drop 
down menu. The NetVanta 2000 series supports both DSS and RSA algorithms. When determining 
the algorithm to use, remember that RSA is more secure than DSS. 
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Select the key length used for the request from the drop down menu. The NetVanta 2000 series 
supports both 512 and 1024 key lengths. When determining the key length to use, remember that the 
bigger the key length the more security you have. 
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10. Select the hash algorithm used for the request from the drop down menu. The NetVanta 2000 series 
supports both MD5 and SHA1 hash algorithms. When determining the hash algorithm to use, 
remember that SHA1 is more secure. 
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11 . Click the Ok button to submit your certificate request. The Certificate Request dialog box appears. The 
name entered in Step 6 is displayed in the Name field. The actual self-certificate request (in X.509 
PEM (Privacy Enhanced Mail) format) is displayed in the text box beneath the Name. Submit all of this 
text to your Certificate Authority to receive your Self-Certificate. 
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12. For our example we will copy all the text in the box and submit it to the test site to receive our 
self-certificate. Highlight all the text in the box and hit <Ctrl + C> to copy the text. 
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13. Open a second browser session and enter isakmp-test.ssh.fi in the URL Address field. This will display 
the SSH Communications Security test certificate site. 
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14. Click on the X.509 Certificate Enrollment test page link to display the certificate request processing 
screen. 
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15. Place your cursor in the text box on the screen and hit <Ctrl + V> to paste the copied certificate 
request into the text box. 
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HI IBaj CB 1 AIBA j Ar HQswCQYWQQGEw JVUzEcHBoGAlUEAxHTtamVOdmFudGEuYWRO 
cmFuLmNvbTCBnz ANBgkqhkiGSwOBAQEFAAOB j QAwgYkCgYE A6 lo ztEdi ie ZBRHd9 
tF7AJ17xH2T0PoDHg¥ZtYhFpIPpkeLD5O4fuQUx7oJZ2CVGKfhUPX0iwwjq3BLP0 
JwgdckPx3 YdToVnuR7aCd3 e Jcatb6r Jh5paY¥xp93oDUJsBVa7yHcuctiCjLdb2 gHT 
Gf/4tJ7HgwiHdb0C/LkztB8e3xECAwEAAaAAHA0GCSqGSIta3DQEBBCjUAA4GBAE0z 
n08onJPqSgJFnx5J9zuxc802PlBEXkGUPSj6L4CjpTtUj ZVk/7YbtfVo/ ysZOiHo3 
L5mKAgKY¥cf vOo AJ3 ATj EOsw3 +OHwPEr L AuY3 oc3 4QAe J IP 1/ UXLsshq978 ixCqt 
ukHx 8 dub 1 Q9 R5 K i Ha3 ENp J +h dgTOFNy 4 1 D9945 6/ 
— END CERTIFICATE REQUEST 



Next page | 



SSH main page 



isk.fi 



16. Click on the Next Page button to display the PKCS#10 Data Verification page. On this page you will 
need to verify the information used to generate your request. If you were working with a Certificate 
Authority, you would have already agreed on this data and submitted it to them before generating the 
request. 



Eile Edit View Favorites Xools Help 
Back 



I 



■* . ® El fit 

Forward Stop Refresh Home 

Address <£] http: //isakmp test ssh.fi/cgi-bin/nph-real-cert/cert. pern 



a a 0 

Search Favorites History 



w 

Edit 



. a & 

Discuss Messenger 



~3 &*° II ^? 



SSH Communications Security ISAKMP test page / 
Certificate request verification 



Verify PKCS #10 data 

Subject nil me 

Subject Name (LDAP name): C=US, CN= ne1vanta.adtran.com 

Subject alt nn me 

EP -number: |~~ 



Domain name (FQDN): |~~ 
Email (rfc822): Q 
UEt|i 



Directory name (LDAP name): ^ 



Key usage bits 

* Di,gitalSi,gnature NonRepudiatton «/ EeyEncipherrnent DataEncipherrnent E eyA.gr eernent EeyCertSign CRLSign EncipherOnly 

Extended Key Usage OIDS 

l~ "j'er-'erAuth I - 'Client Auth I - 1 Signing EmaiE'rotection V Tune Stamping V Ikelnterrnediate 

Basic constraints 



0~\ Done 
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17. Enter the alternate subject data you wish the Certificate Authority to use when generating your 
certificate in the appropriate Subject Alt Name field. This information will be used again when 
configuring your IKE tunnel, so a review of these fields is appropriate. The NetVanta 2000 series 
supports four types of alternate subject data - IP address, Fully Qualified Domain Name (FQDN), User 
FQDN (listed as e-mail rfc822 on the test site), and Der ANSI DN (binary DER encoding of an ASN.1 
X.500 Distinguished Name listed as LDAP on the test site). To use the IP address you must enter the 
WAN IP address of the NetVanta 2000 series that will contain this certificate. If the NetVanta 2000 
series is configured for Dynamic or PPPoE addressing on the WAN interface, using the IP address is 
not valid. To use the FQDN you must enter the DNS name for the NetVanta 2000 series that will 
contain this certificate (example - netvanta.adtran.com). To use the User FQDN (rfc 822) enter your 
e-mail address (example - netvantasupport@adtran.com). To use the Der ANSI DN (LDAP Name) 
enter the X.500 ASN1 name for the NetVanta 2000 series that will contain this certificate (example - 
1.3.6.1.4.1.664.1.147.5.1 or 

iso. org. dod.internet.private. enterprises. adtran.adProducts.adTSUIQ.TechSupport.Unitl). 



Eile Edit View Favorites Xools Help 



Back 



Refresh 



a 0 

Favorites History 



w 

Edit 



Discuss Messenger 



I 



Address |^] http: //isakmp-test. ssh.fi/cgi-bin/nph-real-cert/cert. pern 



~3 &G° |J ^? 



SSH Communications Security ISAKMP test page / 
**"-' ™"™ ™ Certificate request verification 

Verify PKCS #10 data 

Subject nil me 

Subject Name (LDAP name): C=US, CN-netvanta.adtron.com 

Subject alt nn me 

EP -number: | 



Domain name (FQDN): [~~ 
Email (rfc822): | 
URIC - 
Directory name (LDAP name): | 

Key usage bits 

^ Di,gitalSi,gnature NonRepudiation * KeyEncipherrnent DataEncipherrnent K eyA.gr eernent EeyCertSign CRLSign V EncipherOnly 

Extended Key Usage OIDS 

V Server Auth V Client Auth I - 1 Signing EmaiE'rotectK'n V Time Stamping V Ikelntermediate 

Basic constraints 



Done 



| \% Internet 



The remaining parameters on the test site Verify PKCS #10 data page are beyond the scope of this 
DLP. These parameters would be established by your Certificate Authority and have no bearing on the 
NetVanta 2000 series functionality. 
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18. Scroll to the bottom of the page and click the Next Page button. The Final Certificate Parameters page 
will appear. 




0 

Favorites History 



w , M 

Edit Discuss Messenger 



Address http: //isakmp-test. ssh.fi/cgi-bin/nph-real-cert/cert. pern 



~3 &G° |J ^? 



SSH Communications Security ISAKMP test page / 
*'' '™™™™ Certificate request certificate parameters 

Final Certificate Parameters 

Expiration date: | Year 2001 jj | November jj [i 

Signature format (rsa); 
© shalWithRSAEncryption 
C rndSWithRSAEncryption 

CA chain to use: 
©CA 1, 1024 bit RSA 

C CA 2, 2048 bit RSA (revoked every night, >2050 validity) 
C CA 3, 4096 bit RSA (revoked every night, >2050 validity) 
C CA4,DSA 



Chain length from the root CA: | Chain length of 0 (no chain) 
Return certificate in save as format 

Next page | 



SSH main page 



isk.fi. 



I \% Internet 

19. Select the radio button next to the appropriate CA chain you want the CA to use when generating your 
certificate. This should match the key length you selected when generating the request. For our 
example we used 1024, so we will select the first CA chain. Click the Next Page button. 



J Hie Edit 


View Favorites Xools Help 














Back 


-► . $ m a 

Forward Stop Refresh Home 


^ m 

Search Favorites 


0 
History 


Mail 


m 

Print 


w 

Edit 


. a & 

Discuss Messenger 


J Address |© h 


tp: //isakmp-test. ssh.fi/cgi-bin/nph-real-cert/cert. per 


n 










J &Go |j » 



-J 



SSH Communications Security ISAKMP test page / Final 
Certificate 



Final Certificate 



BEGIN X509 CERTIFICATE 

MIICZTCCAc6gA¥lBlgIEO6uq8Did«gkqhkiG9¥0BlQlJFADBaHQswCQTI>¥QQGE¥JG 
STEkHC IGAlUEChlfoUlNI IENvbWllbHllj YXRpb2 5z IFN1Y3 VyaXR5MREwDwYDVQQL 
EwhXZWIgdGVzdDESHBAGAlUEAxHJVGVEdCBDQSAxHBIXDTAxHDkyHTAwHDAwHFoX 
DTAxHTEuHTAwHDAwHFoTirKzELHAkGAlUEBhHCVVHxHDAaBgNVB AHTE2 5 ldHZhbnRh 
LniF kdHJiitai5jb20wgZ8¥DQTJKuZI hvcNAQE B B QAD gTO AMI G J Ao GB AOp aH7 RHYo run 
QUR3ftoRewCZe8R9k9D6AzIFmbliIIRaSD6ZHiw+TuH7kFHe6CTOQlRin4Vjl9l3HI6 
t uS z 9 C c I HX J D8 d2 HU 6F Z 7ke 2 gnd3 i XGr W+qy Ye atJmF s af b K A 1 Cb AVWuS j HL nGO C 3 
U9oB0xn/ +LSex4MIh3U9Avy5M7Qf HrMRAgMBAAGj ZzB IMAsGAlUdDwCjEAwIFoDAk 
BgNVHREEHTAbgRlqb2huLmRvZUBvdGhlcmNvbXBhbnkuY29tHDAGAlUdHwQpHCcw 
J a A j o CGGH2 hOdH A 6 L y9 s ZGF wL riM z aC5maS 9 j cmx z L 2 NhHS 5 j cmwwD Q Y J Ko Z I hvcN 
AQEFBQADgYEAeSRxrXe3 YFaUTJ7+jocCLBvLoMCjni002 HjDbANgf n7E04CNj 9dGCTRv 
ceaUb IhCB lh4GuO 6hEt imGIt2/ SRYOHsnUklaf nB+J21)Ibbo2 YKxkP Y3 Snz IiBCQl 
jYGe6d95cEFllnJv4X351tLhSLzza2 6JQg9L5N2QcQHlZtR8XhA2 95g= 
END X509 CERTIFICATE 



SSH main page 
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20. Highlight all the text in the box and hit <Ctrl + C> to copy the text. Paste this text to a notepad file to be 
used later. 



\ Untitled - Notepad 



File Edit Search Help 



BEGIN X5B9 CERTIFICATE 

MIICZTCCAc6gfiwIBAgIE06uq8DANBgkqhkiG9wOBAQUFADBaMQswCQVDUQQGEwJG 

STEkMCIGA1UEChMbU1NIIENubW11briljVXRpb25zIFNlV3UyaXR5MREwDwVDUQQL 

EwhXZWIgdGUzdDESMBAGA1UEAxMJUGUzdCBDQSAxMB4XDTAxMDkyMTAwMDAuMFoX 

DTAxMTEwMTAwMDAwMFowKzELMAkGA1UEBhNCUUMxHDAaBgNUBAMTE25ldHZhbnRh 

LriFkdH Jhbi5 jb20wgZ8wDQV JKoZIhucNAQEBBQADgVOAMIG JAoGBA0paM7RHVonn 

QUR3FbRewCZe8R9k9D6flzIFnbWIRaSD6ZHiw+TuH7kFMe6CWWQlRinUUj19IsMI6 

twSz9CcIHXJD8d2HU6FZ7ke2gnd3iKGrW+qyVeaWinFsaFbKfl1CbflUWu8jHLnG0C3 

W9oB0xn/+LSexUMIh3W9fluy5M7Qf HrMRflgHBflflG jZzBlMflsGfllUdDwQEflwIFoDflk 

BgNUHREEHTBbgRlqb2huLmRuZUBudGhlcmNubKBhbnkuV29tMDBGB1UdHifQpMCcif 

JafijoCGGH2hBdHB6Ly9sZGFwLnNzaC5iiaS9jciixzL2NhMS5jciiwwDQVJKoZIhucN 

fiQEFBQfiDgVEfieSRwXe3VFaWN7+jocCLBuLoMQri0B2HjDbfiNgFn7EBiiCNj9dGCTRu 

ceaUbIhCBlhiiGu06hEtiriGIt2/5RVBHsnUkIaFnB+J2Wbbo2VKxkPV3SnzIiBCQl 

jVGe6d95cEFHnJuiiX351tLhSLzza26JQg9LSN2QcQHlZtR8Xhfi295g= 

END X5B9 CERTIFICATE 



UJ 



3 



21 . The Certificate Authority's certificate must be uploaded to the NetVanta 2000 series before loading the 
self-certificate. Follow the instructions in DLP-019 to upload the Certificate Authority's certificate to the 
NetVanta 2000 series. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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UPLOADING A CA CERTIFICATE TO THE NETVANTA 



Introduction 

The NetVanta 2000 series supports the use of both RSA and DSS Signature Algorithm Certificates. The 
NetVanta 2000 series provides the capability to generate self-certificate requests, and maintains a listing of 
private keys (certificate requests) that currently have no public key (self-certificate assigned by the 
Certificate Authority). 

Before you can load the self-certificate provided by your Certificate Authority (CA) to the NetVanta 2000 
series, you must load the CA's certificate to the NetVanta 2000 series. Without the CA's certificate the 
NetVanta 2000 series cannot verify the received self-certificate. 

This DLP discusses the steps for uploading a CA certificate from a test certificate website 
(isakmp-test.ssh.fi). DLP-017 discusses generating the self-certificate request and DLP-018 discusses 
uploading the received self-certificate. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select VPN. The IPSec Policies page will 
appear. 



Experts Choose AD T RAN - Microsoft Internet Explor 



j Back Forward Stop Refresh 


4 1 3 j>J ^ 1 

Home | Search Favorites History | 


-> 
Mail 


m m 

Print Edit 


. aj & 

Discuss Messenger 




Address [ J http: //1 0. 200. 1.141 /ptabl. htm 










J ^>Go |J Links » 




NetVanta — config 


— ADMIN POLICIES 




« MONITOR 


LOGOUT 


ADVUTI 



Manage Lists 
Access Policies: To LAN 
Access Policies: From LAN 
Access Policies: To DMZ 



VPN 

> Tunnels 




IPSec Policies 



Select ^°'' c ^ Source Destination ^° ur ^ e ^ es J Status Info Tunnel State Up Down 
Name Port Port M 

show | modify | delete | dear | 
Add | AFTER J | ] Place Q | AFTER J | 



manual auto 



J 



Done 



1 0 Internet 



4. From the menu list (located on the left side of the screen) select Certificates (listed as a VPN 
submenu). 



3 Experts Choose AD T RAN - Microsoft Internet Explor 



File Edit View Favorites J_ools Help 



Address |g] http://10.200. 1.1 41 Zcerttabl.htm 



~3 £>S° | J Links 



Links J> 



■ CONFIG m ADMIN POLICIES « MONITOR LOGOUT 



| Self Certificate I 


Select S ^ ect 
Name 


Serial Number Issuer Name 


Expiry 
Time 



Up load Certificate | Delete | GenerateRequest 



CA Certificate 



Select Subject Name Issuer Name Expiry Time 

Upload Certificate I Delete I 



ye:ecf 



Private Key Without Public Key 



Private Ke 



I* lnternet 



Access Policies: To LAN 
Access Policies: From LAN 
Access Policies: To DMZ 
Access Policies: From 
VPN 

Tunnels 

IKE 
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5. In the CA Certificate section of the page click the Upload Certificate button. The CA Certificate 
Uploading parameters box appears. 



■3 Experts Choose AD T RAN - Microsoft Internet Explorer 








mmm 


File Edit View Favorites lools Help 












Address |g] http://1 0.200.1 141/trustedcert.tri 








j P>Go | J Links 






J 


NetVanta hCONFIG « admin 


h POLICIES 


— MONITOR 


LOGOUT 


ADUWI 








Signature Alogrithrn 


G RSA C DSS 







Certificates 

> Trusted Upload 



OK | 



Done 



1 0 Internet 



6. Open a second browser session and enter isakmp-test.ssh.fi in the URL Address field. This will display 
the SSH Communications Security test certificate site. 



File Edit View Favorites Tools Help 



Back 



Forward Stop Refresh 



& m & 

Search Favorites History 



m 

Print 



w 

Edit 



Discuss Messenger 



Address £] http://isakmp-test.ssh.fi/ 



SSH IP SEC' interoperability test node Version 3 + 0 

# cnniiMittricHS seouwrv 

Updated 15:14 Mar 12001 

Note, The CA certificates has been recreated to have longer validity period. The new certificates axe valid to the end of year' 2002. The CA keys are still 
same, so old certificates created with old CA certificates are still valid. 



■ IPSEC testing 

o IPsec interoperability test (currently disabled) 
o IPsec SA status page (currently disabled) 

■ IS AEMP testing 

o IS AEMP interoperability test 

■ Certificate testing 

o 

o X.509 Certificate Enrollment test page 
o 

o Our Test CA 1 files (1024 bit RSA) 

o Our Test CA 2 files (2048 bit RSA, revoked every night, >2050 validity) 
o Our Test CA 3 files (4096 bit RSA, revoked every night, >2050 validity) 
o 

■ Information about SSH IPSEC Express 

■ Information about SSH ISAKMP/Oakley 

■ Information about SSH X.509 Certificate Tools 
, : ■ 

• .. i : . I > - : ^ . : 



| | |9 Internet 
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7. 



Click on the appropriate Our CA Test CA link. Choose the link that matches the key length you used to 
generate the self-certificate request. In DLP-017 we applied a 1024 bit key to generate our request, so 
we will choose the Our CA Test CA 1 Files (1024 bit RSA) hyperlink. 



Eile Edit View Favorites Xools Help 



-|fl|x| 



Address |g http://isakmp-test.ssh.fi/certs/ca1.html 



SSH IPSEC CA 1 Certificates 



• CA 1 Root Certificate pern , bin 

• CA 1 Root CRL p_em bin 

o CA 1 Sub CA 1 pern, bin 

o CA 1 Sub CA 1 CRL pern bin 

o CA 1 Sub CA 2 pern, bin 

o CA1 Sub CA 2 CRL pern bin 

o CA 1 Sub CA 3 pem, bin 

o CA 1 Sub CA 3 CRL pern bin 

o CA 1 Sub CA 4 pem, bin 

o CA 1 Sub CA 4 CRL £em bin 

o CA 1 Sub CA 5 pern, bin 

o CA1 Sub CA 5 CRL pern bin 

o CA 1 Sub CA 6 pern, bin 

o CA 1 Sub CA 6 CRL pem bin 

o CA 1 Sub CA 7 pern, bin 

o CA 1 Sub CA7 CRL pern bin 

o CA 1 Sub CA 8 pern, bin 

o CA 1 Sub CA 8 CRL pem bin 

o CA 1 Sub CA 9 pern, bin 

o CA1 Sub CA 9 CRL pern bin 
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8. 



The NetVanta 2000 series supports uploading certificates in PEM (Privacy Enhanced Mail) format. 
Select the CA 1 Root Certificate in PEM format. 



Eile Edit View Favorites Xoo's Help 



Address |g http://isakmp-test.ssh.fi/certs/ca1.pem 



BEGIN X509 CERTIFICATE 

HI ICTDCC Ab WgAurlB AglCAHkwDQYJKo Z IhvcNAQEFBQAwWj ELHAkGAl UEBhHCRkkx 
JDAiBgNVBAoTGlNT5CBDti2 1tdlJ5pT2F0aIlJ9ucyBTZWHlcml0eTERHA8GAlUECxHI 
V2ViIHRlc3 Qx E j AQE gNVB AIITC VR 1 c 3 QgCjO E gHT Ae F wO wHT Ay H j gxND U 1 H s J aF wO w 
HjEyHzEyHzU5NTlaHFoxCEAJBgNVBAYTAkZJHSQwIgYDVQQKExtTUQggQ29tbXVu 
aUTJhdG 1 vb nHgU2 V j dX J p dHkxE T AP B gNVB AsTCFdlYiBOZXNOHRIwE A YDVQQD EwlU 
ZXHO IEMB IDEwgZOwDQYJKo Z I hvcN AQE B E Q AD g Ys AH I GH Ao GE A 1 3 wb 1 D a 2 Uvk7 L +d 
3Qxr8hD7YFSqUlTy6xJFKj7DzgulhU9w5JItB3qxeXplaHcjhK//00feFhH41EH+ 
JNi3 Qk4Hbcirqtmz4 j FU58ibOGS¥q9LR7hFdakDVKQJt iCPLH9 sZBPYlREdO^wwiH 
IGCPKBZ Jdl/ F j C3 wyaw4CKgnJ5 jTAgE loyHwITALBgNVHQSEBAHCAYYwEgYDVROT 
AQH/ B AgwB gE B / ¥ I B II j ANB gkqhk i G9 wO B AQUF A AOB gQ AGf JNNvXRs p f h 6 P Z 4 5 S 4-niD 
lQJYm j 8/ j lsh6 ipwOYHb4 IBt AE4 iPgywGE2 4 Jk8HQdYzQ2 J 1 1 ZTUVAqxUlpnyx Ak 
vTqpEdvHUx Jd5iubHHZrUjSs5Hqsiq7rKf j UOe JEUeAAh7vBxl 1BZ 6KXR0 jy6iETO 
tgAK98NcY12 kqBSB I+j r oQ= = 
END X509 CERTIFICATE 



-|g|x| 



Done 
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9. Highlight all the text in the box and hit <Ctrl + C> to copy the text. Return to the NetVanta 2000 series 
CA Certificate Uploading screen and paste the CA Certificate in the text box. 



bum 


s Choose AD T RAN - Micr 




Explorer 










I '■ 


Address [|S] http://10.200.L141/trustedcert.tri 




J £>Go | J Links » 










J 



■ POLICIES h MONITOR 



Access Policies: To LAN 




Signature Alogrithm 



CA Certificate Uploadin 



(* rsa r DSS 



Access Policies: To DMZ 



DMZ 



Certificates 

> Trusted Upload 



1EH+ 3 

JNi3Qte4^cwqtms4jrW58ib0G51lJq9LR7hFdaJcDVKQJtiCPLII9s38PYlREdO4 

IGCPKBZJdl/FjC3w7aw4CKgnJ5jTAgEloyHwITALBgNVfiQ8EBAHCAYYw£gYD 
VROT 

AQH/BAgwBgEB/ wIBMj ANBgkqhkiGSwOBAQUFAAQBgQAGf JMJvXRspf h6PZ45 
S+RlD 

lQJYnij3/jl3h6ipwOYHb4IEtAE4iPgywGE21Jk3MQdYsQ2JirZTUVAqxUlpn 
yxAk 

vTqpEdvHUx Jd5mbHHZrUjSs5Hqsiq7rKf j UDe J E We A Ah"7 vBx 1 IB Z 6KXRO j y 6 
IE TO 

tgAKSSIJc Y12 kqBBB I +j roQ== 

— END X509 CERTIFICATE 



L2<] 



Reset | 



10. Click the OK button to submit the certificate. When the certificate is successfully loaded the 
Certificates page will appear and the certificate will be listed in the CA Certificate section. 



Experts Choose AD T RAN - Mi 



-IfflxJ 



File Edit View Favorites Tools Help 



Forward 



J J ft 

Stop Refresh Home 



J _*J 
Search Favorites History 



Address |#] http://1 0.200.1 .1 41 /privatekey.tn 



Discuss Messenger 



"3 r>s°| 



r 



■ CONFIG — ADMIN POLICIES — MONITOR LOGOUT 




I Self Certificate 


Select 


Subject Name 


Serial Number 


Issuer Name 


Expiry 
Time 



U p I o ad Ue rtif i cate Delete U e n e rate Re q u e st 



I CA Certificate 1 


Select 


Subject Name 


Issuer Name 


Expiry Time 


r 


/C=FI/0=SSH 
Communications 
Security/OU=Web 
test/CN=Test CA 1 


/C=FI/0=SSH Communications 
Security/OU=Web test/CN=Test CA 1 

Upload Certificate | Delete | 


Dec 31 23:59:59 2002 GMT 


Private Key Without Public Key 


Select 




Private Key Name 




r 









Delete | 
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11 . The Certificate Authority's certificate must be uploaded to the NetVanta 2000 series before loading a 
self-certificate. After loading the CA certificate you may proceed to DLP-019 for instructions on loading 
the self-certificate. 

Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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UPLOADING A SELF-CERTIFICATE TO THE NETVANTA 



Introduction 

The NetVanta 2000 series supports the use of both RSA and DSS Signature Algorithm Certificates. The 
NetVanta 2000 series provides the capability to generate self-certificate requests, and maintains a listing of 
private keys (certificate requests) that currently have no public key (self-certificate assigned by the 
Certificate Authority). 

Before you can load the self-certificate provided by your Certificate Authority (CA) to the NetVanta 2000 
series, you must load the CA's certificate to the NetVanta 2000 series. Without the CA's certificate the 
NetVanta 2000 series cannot verify the received self-certificate. 

This DLP discusses the steps for uploading a CA certificate from a test certificate website 
(isakmp-test.ssh.fi). DLP-017 discusses generating the self-certificate request and DLP-018 discusses 
uploading the received self-certificate. 

Prerequisite Procedures 

This DLP assumes that all steps outlined in DLP-017 and DLP-018 are complete and the user has the 
self-certificate in PEM (Privacy Enhanced Mail) format available. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Policies. The Manage Lists menu 
and User Group submenu are automatically displayed. 




|@ | | |« Internet 
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3. From the menu list (located on the left side of the screen) select VPN. The IPSec Policies page will 
appear. 



Experts Choose AD T RAN - Microsoft Internet Explor 



j Back Forward Stop Refresh 


4 1 3 j>J ^ 1 

Home | Search Favorites History | 


-> 
Mail 


m m 

Print Edit 


. aj & 

Discuss Messenger 




Address [ J http: //1 0. 200. 1.141 /ptabl. htm 










J ^>Go |J Links » 




NetVanta — config 


— ADMIN POLICIES 




« MONITOR 


LOGOUT 


ADVUTI 



Manage Lists 
Access Policies: To LAN 
Access Policies: From LAN 
Access Policies: To DMZ 



VPN 

> Tunnels 




IPSec Policies 



Select m°'' C ''' Source Destination ^° ur ^ e ^ es J Status Info Tunnel State Up Down 
Name Port Port M 

show | modify | delete | dear | 

Add | AFTER J | ] Place Q | AFTER J | 

manual auto OK 



Done 



1 0 Internet 

4. From the menu list (located on the left side of the screen) select Certificates (listed as a VPN 
submenu). 



3' Experts Choose AD T RAN - Microsoft Internet Exploi 



Address | .J http: / /1 0. 200. 1 . 1 41 /' trustedcert tri 



^] f>Go | J Links »| 



To LAN 



Access Policies: From LAN 
Access Policies: To DMZ 




Signature Alogrithm 



CA Certificate Uploadin 



CRSA c dss 



Certificates 
> Trusted Upload 



1EH+ ±\ 

JNi3Qk4HtacMCjoiiz4jFliJ5Sib00STJq9LR7hFdakDVKQJtiCPLII9EZ8PYlREd04 
WWiR 

I GC P K B Z J d 1 / F j C 3 w y a w4 C Kgn J 5 j T AgE 1 q y II w I T AL B gMVHQS E B AUG A Y Y w E g YD 
VROT 

AQH/ B AguB gEB/uIBHj ANB gkqhfc i G9 wO B AQUF A AOB gQ AGf JNWvXRs pfh6PZ45 
S+mD 

lQJYmj3/jl3hei¥wOYHb4IEtAE4iPgvwGE24JfcDMQdYs02JlI2TUVAqxUlpn 
yxAfc 

vTqpEdvITOx JdSmJoHHZr U j SsSlIqs iqTrKf j UOe JEWe AAhVvBx 1 IB Z 6KXRO j y S 
iETO 

tgAK98McY12 kqBS B I + j roQ== 

EMD X509 CERTIFICATE 



L°L] 



Reset 



ffi 
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5. In the Self-Certificate section of the page click the Upload Certificate button. The Self-Certificate 
Uploading box appears. 



'3 Experts Choose AD T RAN - Microsoft Internet Explor 



File Edit View Favorites lools Help 



Address | J http://10.20ai .141/selfcert.tri 



Done 



■ CONFIG m ADMIN POLICIES « MONITOR 




Self Certificate Uploadin 



NamelADTRANj 



~3 £>S° | J Links 



Links " 



| 0 Internet 



6. Select the name of the request this self-certificate corresponds to from the Name drop down menu. 
This is the locally significant name that was entered during the self-certificate request process (see 
DLP-017). 



~3 p>Go Links 



POLICIES — MONITOR 




Self Certificate Uploadin 
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7. 



Place your cursor in the text box portion of the Self-Certificate Uploading dialog and paste in the 
self-certificate text. If you followed the steps in DLP-017, this certificate text will be in a notepad file. 



File Edit View Favorites Tools Help 








mmm 


Address |g] http://10.20ij 11 41, .'ttustedcert.tri 








J (>Go | J Links 






J 


NetVanta hCONFIG « admin 


h POLICIES 


h MONITOR 


LOGOUT 


AD«W1 





r 



LAN 

Access Policies: To DMZ 
Access Policies: From DMZ 
VPN 



Certificates 

> Trusted Unload 



P RSA r DSS 



— BEGIN X509 CERTIFICATE 

HIICTDCCJUjlJglwIBAgICiHk¥DQTJKuZIlwcNAQEFBQAw¥jELHAkGAlUEBhIICRkkx 
JDAiBcjNVBAoTGlNT5CBDb2 ltdW5pY2 F0aW9ucyBTZlMlcrfil0eTERHA8GAlUECxIII 
V2ViIHRlc3QxEjAQBgNVBAHTCVRlc3QgCjOEgHTAeFwOwHTAyHjgxNDUlHzJaFwOw 
H j E y H s E y H s US NT I aHF o x C s A J B gNVE ATT Ak Z J MS Cjw I g YD VQCjKE :•: t TUO gg Q2 9 t-ta XVu 
aUNhdGlvtmHgU2VjdXJpdHkxETAPBgNVBA3TCFdiyiB0ZXN0HRIwEAYDVQQDEwlU 
Z XNO I EWE I D E wg Z 0 wD Q Y J Ko Z I hvcN AQE E B Q AD gYs AH I GH Ao GB A 1 3 wb 1 D a Z Uvk7 L H-d 
3Qxr8hD7YF3qUlTy6xJFKj7DzgulhU9wSJIt83qxeXplaHcjhK//00feFhH41EH+ 
JNi3Qk4Hbcwqtms4jFI58ib0GSWq9LR7hFdakDVKQJtiCPLH9zZ8PYlREd04wiH 
IGCPKB Z Jdl/ F j C3 wyaw4CKgnJ5 j TAgE loyHwITALBgWVHQSEBAHCAYYwEgYDVROT 
AQH/ E AgwE gE E / w I E H j AWE gkqhk i G9 wO E AQUF AAC'E gQ AGf JNNvXRs p t h 6 P Z 4 5 S +rnD 
lQJYmj8/jl3h6ipwOYHb4IBtAE4iPgywGE2 4Jk8HQdYzQ2JHZTUVAqxUlpnyxAk 
vTqpEdvHUx JdSrribHHZrUj SsSHqs iq7rKf jUOe JEUeAAh7vBx 11B Z6KXR0 jy6 iETO 
gAK98WcY12kqB8BI+jroQ== 
EWD X509 CERTIFICATE 



Done 



1 £ Internet 



8. Click the OK button to submit the self-certificate. When the certificate is successfully loaded the 

Certificates page will display and the self-certificate will be listed. Once the self-certificate is loaded for 
a particular request, the request is no longer visible in the Private Key Without Public Key list. 



OSS 



J File Edit View Favorites Tools Ht 
Address jg] http://10.100.12.71/cmgrself.tri 





NetVanta 


« CONFIG 


— ADMIN 


« POLICIES 


m MONITOR 


LOGOUT 


ADUWI 



Manage Lists 
LAN In!. 
LAN Out!) 
VPN 



> Ceitificiitea 



I Self Certificate 


Select 


Subject Name 


Serial Number 


Issuer Name 


Expiry 
Time 



Up load Certificate | Delete | GenerateRequest 



Nov1 

/'! =FI/u=SSH i; ommurucationi 00 00 00 
Security/OU=Web test/CN=Test CA 1 2001 
GMT 



1 CA Certificate 1 


Select 


Subject Name 


Issuer Name 


Expiry Time 


r 


/C=FI/0=SSH 
Communications 

test/CN=Test CA 1 


/C=FI/0=SSH Communications 
Security/OU=Web test/CN=Test CA 1 

UploadCertificate | Delete | 


Dec 31 23:59:59 2002 GMT 


Private Key Without Public Key 


Select 




Private Key Name 




r 









Done 



| \% Internet 



61200361L1-1E 



©2002 ADTRAN, Inc. 



191 



Section 5, DLP-019 NetVanta 2000 Series System Manual 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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REVIEWING THE VARIOUS KEYS OF THE NETVANTA 



Introduction 

Implementing a secure network requires the use of encryption, authentication, and the exchange of keys. 
The NetVanta 2000 series provides Encapsulating Security Payload (ESP) with support for both DES and 
3DES encryption methods. The NetVanta 2000 series also provides Authentication Header (AH) with 
support for MD5-HMAC 128-bit and SHA1-HMAC 160-bit authentication algorithms. This DLP provides 
a quick reference table listing the various keys and the character requirements for each of them. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Please Refer to the Table Below When Defining Keys in the NetVanta 2000 series 



Key Name 


Key Length 


Use this key 


MD5 AUTH KEY 


16 digits 


when using MD5 authentication for RIP updates 
on thp LAN and/or WAN intprfaop 

Ul 1 LI 1 V>r I— I \ 1 N C4 1 1 \JI W 1 V V I \ 1 N 1 1 1 1 w 1 1 ■ 


MD5 IN and OUT 


16 digits 


when configuring MD5 authentication for Manual 
VPN tunnels. 


MD5 IN SPI and OUT SPI 


numerical >255 


when configuring MD5 authentication for Manual 
VPN tunnels. 


MD5 IN AUTH KEY and 
OUT AUTH KEY 


16 alphanumeric* 


when configuring MD5 authentication for Manual 
VPN tunnels using ESP with AUTH encryption. 


SHA1 IN and OUT 


20 alphanumeric* 


when configuring SHA1 authentication for 
Manual VPN tunnels. 


SHA1 IN SPI and OUT SPI 


numerical >255 


when configuring SHA1 authentication for 
Manual VPN tunnels. 


DESINSPIand OUT SPI 


numerical >255 


when configuring DES encryption for Manual 
VPN tunnels using ESP or ESP with AUTH 
encryption. 


3DES IN SPI and OUT SPI 


numerical >255 


when configuring 3DES encryption for Manual 
VPN tunnels using ESP or ESP with AUTH 
encryption. 


DES IN and OUT ESP 


8 alphanumeric* 


when configuring DES encryption for Manual 
VPN tunnels using ESP or ESP with AUTH 
encryption. 


3DES IN and OUT ESP 


24 alphanumeric* 


when configuring 3DES encryption for Manual 
VPN tunnels using ESP or ESP with AUTH 
encryption. 



* The NetVanta 2000 series translates the inputted alphanumeric digits to their ASCII equivalent, then uses 
the result in Hexadecimal notation for operation. 
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Introduction 

The NetVanta 2000 series provides two methods of restoring the unit to factory defaults - software and 
hardware. This DLP discusses each method and the necessary steps. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed - Software Default 



Performing a factory default using software will restore ALL configurable 
%ftXYS'* parameters of the NetVanta 2000 series to factory conditions. All modified interface 
address will be lost and may disrupt communications with the unit. 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen), select Admin. This displays the Change 



Password dialog box. 



J Hie Edit View Favorites Jpols Help 












J Address [<£] http://1 0.200.1. 140/admin.htm 










d &*o |j 


NetVanta — config 


m ADMIN 


h POLICIES 


h MONITOR 


LOGOUT 


i 





Change Passwoid 



Admin Password Setting 



Old Password 
New Password 



Confirm New Password |~~ 

: 



Submit Reset 
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3. From the menu list (located on the left side of the screen) select Factory Default. 



L,IJi|JJIllJMUJJ,^:IJJ M ).MilBBf!ilJWff 

J File Edit View Favorites Tools Help 












J Address |#] http://1 0.1 00.1 2.71 }\ actdefa.htm 












NetVanta — config 


m ADMIN 


— POLICIES 


m MONITOR 


LOGOUT 


i 



Fiictoiy Defaults 



Upgrade Firmwe 
Configuration Tr 



Warning: This option erases all the databases! 

Do you really want to reset your settings to 
the Factory Default? 



NOTE: If you switch your settings to factory defaults, you must 
Reboot the System to make the new settings effective. 



|£j | | |« Internet 

4. Click the Yes button to submit the operation. This will display the Reboot Confirmation screen. 





You must reboot for the factory defaults 
to take effect! 



Reboot the NetVanta ? 

Yes | No | 



Done 



| |$ Internet 
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5. Click Yes to reboot the NetVanta 2000 series and restore all parameters to factory default settings. 



I mi.imUHUJJ, 



Eile Edit View Favorites Xools Help 



Address |#] http://1 0.200.1 .1 40/reboot.tri 



II 

~3 &Bo |j Iff 



Reboot System 
Save Settings 
Factory Defaults 
Upgrade Firmware 

T„,m fri 



-3 



CJEH MOMTOK 



Operation Result: 



The unit is rebooting Please wait to log back 111 



Login Again 



| |® Internet 



6. Complete the steps in DLP-001 to access the NetVanta 2000 series unit. 



Perform Steps Below in the Order Listed - Hardware Default 



US*** 86 



Performing a factory default using hardware only restores the LAN interface 
parameters to default state. The DHCP server will be enabled and the LAN interface 
will be given an IP address of 10.10.10.1. 



1 . Make sure the NetVanta 2000 series unit is powered up. 

2. On the rear panel of the NetVanta 2000 series unit there is a factory default pinhole located between 
the LAN and WAN interfaces. Push the factory default pinhole for 1-2 seconds to restore the LAN 
interface factory settings. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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VIEWING THE DHCP INFO TABLE 



Introduction 

The NetVanta 2000 series supports three IP addressing schemes on the WAN interface — dynamic, static, 
and PPP over Ethernet (PPPoE). When the WAN interface is configured for dynamic (DHCP) or PPPoE 
addressing, important information can be obtained by viewing the DHCP information the NetVanta 2000 
series receives from your provider's DHCP server. The NetVanta 2000 series contains a table listing all 
DHCP information for both the LAN and WAN interfaces. This DLP discusses viewing that information. 

Prerequisite Procedures 

This DLP assumes the NetVanta 2000 series is connected to a PC and a browser session is active. Refer to 
DLP-001 for more details. 

Tools and Materials Required 

No special tools or materials required. 




To prevent electrical shock, do not install equipment in a wet location or during a 
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Perform Steps Below in the Order Listed 



1 . Log in to the NetVanta 2000 series as admin (see DLP-001 for details). 

2. From the main menu (located across the top of the screen) select Config. 



□as 



File Edit View Favorites Tools Help 



Address £] http://1 0.200.1. 140/general.htm 



II 

~3 &*<> |j ^? 



CONFIG h ADMIN m POLICIES m MONITOR LOGOUT 




Serial Number 
Firmware Version 
System Up Time 



General Configuration 



2.1 -h 

0 Days:20 Hr:49 min:24 sec 



Time Zone * 
Change Date and Time? 
System Date 
System Time 
Time Server Address * 

DNS Server 1 Address 
DNS Server 2 Address 
DHCP Client Host Name 
MAC Address (factory) 00:A0:C8:05:C1:B5 
MAC Address Masquerading 
MAC Address (current) * 



| Greenwich Mean Time (GMT)" 3 

r 

Fl-llTI- 12001 I (mm-dd-yyyy) 

[2£H;|5H:[5H(hr:min:sec) 
|ssg1 .Qdtron.com 

□.□.io.io 

□ .□.ED. ED 

I — I 
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3. From the menu list (located on the left side of the screen) select Network Interface. The Ethernet 
Config page will appear. 



Eile Edit View Favorites Tools Help 



Address \&] http://1 0.200.1. 14G7ether.htm 



II 

~3 |J Tf? 



CONFIG h ADMIN « POLICIES m MONITOR LOGOUT 



Neiwoik Interface 
> Ethernet config 




Ethernet IP Address 



LAN IP |10 . |10 . J20 . |7 

Subnet Mask |£55 . |£55 . |?55 . [o 

WAN IP TYPE r Dynamic G Static O PPP over Ethernet 

WAN IP |10 . |200 . [1 . pM0~ 

Subnet Mask |£55 . |£55 . [o . [o 



PPP over 



Service Name 



Change Password ? □ 
Password 



Password Confirmation | 
] AC Name Q 



tj Reset | 



|g Done | \% Internet 

4. From the menu list (located on the left side of the screen) select DHCP Info. 



-Ifllxl 



Eile Edit View Favorites Xoo's Help 



II 

~3 &*° II ^? 




I |$ Internet 
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5. Record any information needed from this table for future use. 



The IP address listed next to Gateways in the WAN column (172.124.37.252 for this 
example) will be used when adding the default route to the NetVanta 2000 series route 
table (see DLP-011). Record this address for future reference. 



Follow-up Procedures 

Once this procedure is complete, return to the procedure which referred you to this DLP and continue with 
the tasks indicated there. 
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Authentication 

Identifying and validating a given user. 

Data integrity 

Traditionally, data integrity checking has involved attaching a checksum to a string of data to 
check against accidental data corruption. More sophisticated security algorithms add other 
validators such as time and date stamps to make sure data is not intercepted or altered. 

Data Encryption Standard (DES) 

Is a symmetric block cipher algorithm used as a confidentiality mechanism for the encapsulating 
security payload (ESP). 

Data privacy 

To prevent data from being read by humans or machines during transmission, data privacy 
algorithms such as Data Encryption Standard (DES) encrypt and then decrypt the data before and 
after transmission. 

Denial of service (DOS) attack 

A method of flooding a site with "spoofed" (artificially generated) packets. A DOS tries to 
generate enough traffic deny service to legitimate users. One recent method has been called 
"smurfing." 

Encapsulating Security Payload 

Provides confidentiality for IP datagrams by encrypting the payload data to be protected. 

Encryption 

The use of algorithms such as MD5 or SHA to encrypt (code) and the decrypt (decode) a 
password. Most encryption algorithms rely upon some sort of private key. 

Filtrating 

The process of statistically sampling the queue size and dropping packets when the queue reaches 
a threshold. Common methods are random early detection (RED) weighted random early detection 
(WRED). 

Firewall 

Usually a combination of hardware and software that protects an organization's network from 
external attacks or intrusions. Most firewalls make use of a proxy server that performs a validation 
and filtering function for the organization. 

Hash Values 

Locator numbers that replace a given value with a location in a table. The locator number is later 
used to retrieve the original data. Hashing is analogous to storing a coat on a coat rack. The hash 
ID is saved and used later for retrieval. 
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HTTP 

HyperText Transfer Protocol is the protocol that carries requests from a browser to a Web server 
and also transports Web pages from a Web server back to the requesting browser. HTTP is the 
most universally used Web transfer protocol, but it is not inherently a secure protocol. 

ICMP Redirect 

Not necessarily a malicious condition, some routers generate a redirection message whenever a 
packet is rerouted. If these messages become excessive or if some mischievous person is 
generating these messages in an exponential fashion this condition can become invasive. 

IP Reassembly 

TCP/IP is a system of packet creation, packet disassembly, packet transmission, and packet 
reassembly. An intruder sometimes tries to intervene in the reassembly process and insert bogus 
extra or replacement segments. 

IPSec 

A method of providing secure communication (Internet Protocol security) over potentially 
insecure network components such as intermediate routers. IPSec defines encryption, 
authentication, and key management standards. IPSec protocols support transport mode and tunnel 
mode operations. 

IP Spoofing 

Gaining access to a computer by pretending to be at a trusted IP address. By setting up a firewall, 
all access must come through the firewall and pick up the only authorized address of the firewall 
after adequate authentication is completed. 

Land attacks 

A special type of denial of service attack where an intruder or intruding program identifies a 
source and direction of a particular packet and reverses (or swaps) these two IP addresses. This 
kind of attack can range from being a nuisance, to being a tragic menace if it prevents the delivery 
of an important document or message. 

Masquerading 

An unauthorized user assumes the identity of an authorized user. 
Packet filtering 

Is access control at the Internet Protocol layer. This includes accepting or rejecting (dropping) 
frames of data based on source and destination addresses. This is a very basic filtering method that 
does not include using passwords or authentication algorithms. 

Ping of death 

Is a denial of service attack that relies upon TCP/IP's difficulty handling unusually large ping 
packets. If not protected, a system that receives an oversize ping packet may hang or crash. 

Proxy server 

A firewall component that manages Internet traffic to and from a network and provides other 
features such as file caching and access control. A proxy server can also improve performance by 
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caching frequently requested web pages and can filter unauthorized user requests for access to files 
or designated web sites. 

Replay attack 

Capturing and storing a password-included packet and then reissuing that packet in an attempt to 
gain unauthorized access. 

Routing Information Protocol 

A protocol for exchanging routing information among gateways and other hosts. 

Security Associations 

Agreements or negotiations between two or more communicating parties. The details of these 
agreements involve decisions on which keys and algorithms are going to be used, and when these 
security elements are going to be changed. 

Security Parameter Index (SPI) 

An arbitrary 32-bit value that is assigned to an SA when it is first created. The SPI, when 
combined with the destination IP address and security protocol (AH or ESP), uniquely identifies 
the SA. 

Source Routing 

Source routing is a strict method of routing datagrams that uses a 32-bit header that embeds a 
source address, a destination address, a type of service, and other constants and variables that 
combine to protect the datagram from incorrect or failed routing. 

SYN Flooding 

Typically most systems process a queue of about 10 connections attempts (SYNs) at a time. A 
malicious intruder who fabricates connection attempts and tries to "flood" a system is using a 
denial of service attack known as SYN flooding. 

Traffic Shaping 

Is a process of minimizing the congestion of a stream of traffic at every connection, physical or 
virtual. The net effect is to optimize the overall result. 

Virtual Private Network (VPN) 

Is a private connection that sends private data traffic over the Internet. This lets organizations 
extend network service over the Internet to branch offices and remote users creating a private 
WAN (Wide Area Network). 
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ACRONYMS 

AH 

Authentication Header 

ALG 

Application Level Gateway 

ASP 

Active Server Protocol 

ATM 

Asynchronous Transfer Mode 

CERT 

Computer Emergency Response Team 

DDOS 

Distributed Denial of Service 

DES 

Data Encryption Standard 

DH 

Diffie Helman shared secret algorithm 

DHCP 

Dynamic Host Configuration Protocol 

DNS 

Domain Name Server 

DSA 

Digital Signature Algorithm 

DSL 

Digital Subscriber Loop 

DSU/CSU 

Data Service Unit/Channel Service Unit 

ECN 

Explicit Congestion Notification 

ESP 

Encapsulating Security Payload 

HTTP 
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Hyper Text Transfer Protocol 

ICMP 

Internet Control Message Protocol 

IETF 

Internet Engineering Task Force 

IEEE-SA 

IEEE Standards Association 

IKE 

Internet Key Exchange 

IPSec 

Internet Protocol Security 

MPOA 

Multiprotocol Over ATM 

NAT 

Network Address Translation 

NIST 

National Institute of Standards and Technology 

NNTP 

Network News Transfer Protocol 

NSA 

National Security Agency 

RIP 

Routing Information Protocol 

RSA 

A public key encryption algorithm 

RSVP 

Resource Reservation Protocol 

QOS 

Quality of Service 

SA 

Security Association 

SG 

Security Gateway 
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SHA 

Secure Hash Algorithm 

SPD 

Security Policy Database 

SPI 

Security Parameter Index 

VPN 

Virtual Private Network 

VRRP 

Virtual Router Redundancy Protocol 

WAN 

Wide area network 

WELF 

Webtrend Extended Log Format 

WFQ 

Weighted fair queuing 
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